sms passcode 4.0 - administrators guide - rev1.0

SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 1 OF 239

© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.

SMS PASSCODE® 4.0

ADMINISTRATOR’S GUIDE

REV. 1.0 (JUNE 2010)



TABLE OF CONTENTS

1 Introduction .............................................................................................................................. 5

2 Notation ................................................................................................................................... 5

3 New Features .......................................................................................................................... 7

3.1 ISA/TMG Web Site Protection ........................................................................................... 7

3.2 Windows Logon Protection ............................................................................................... 7

3.2.1 VMware View Protection ............................................................................................ 7

3.3 Citrix Web Interface Protection ......................................................................................... 8

3.4 memoPasscodes™ ........................................................................................................... 8

3.5 Terminal Service / Remote Desktop Protection ................................................................. 8

3.5.1 TS/RD Web with Form-Based Authentication ............................................................. 8

3.5.2 RD Web with Single Sign-on ...................................................................................... 8

3.6 Configuration Tool ............................................................................................................ 9

4 Feature Overview..................................................................................................................... 9

4.1 Authentication Clients ....................................................................................................... 9

4.2 Security........................................................................................................................... 11

4.3 Installation ...................................................................................................................... 11

4.4 Administration ................................................................................................................. 12

4.5 Enterprise Environment Support ..................................................................................... 12

5 Components .......................................................................................................................... 14

6 System Requirements ............................................................................................................ 18

6.1 Terminal Service / Remote Desktop Service Protection .................................................. 21

6.2 SharePoint Portal Server Protection ............................................................................... 22

6.3 Citrix iPhone Receiver Protection ................................................................................... 22

7 Hardware – GSM Modems ..................................................................................................... 27

8 Infrastructure .......................................................................................................................... 27

8.1 Component Communication ............................................................................................ 28

8.2 Single Server Installation ................................................................................................ 30

8.3 Multi Server Installation – Citrix Web Interface ................................................................ 31

8.4 Multi Server Installation – RADIUS Clients ...................................................................... 34

8.5 Multi Server Installation – Enterprise Setup .................................................................... 35

8.6 Multi Server Installation – Total Distribution .................................................................... 37

9 Pre-Installation Actions .......................................................................................................... 39

9.1 Check SIM Cards ............................................................................................................ 39

9.2 Check System Requirements .......................................................................................... 40

9.2.1 Installation of IAS ..................................................................................................... 41

9.2.2 Installation of NPS .................................................................................................... 43



9.2.3 Protection of TS/RD Web Access on Windows Server 2008 (R2) ............................. 44

9.2.4 Protecting VMware View 4.0 ..................................................................................... 54

9.2.5 Protection of SharePoint Portal Server ..................................................................... 54

10 Upgrade ................................................................................................................................. 59

11 First-time Installation .............................................................................................................. 59

11.1 Installation of Hardware .................................................................................................. 59

11.2 Installation of the SMS PASSCODE® Software ............................................................... 60

11.2.1 Single Server Installation .......................................................................................... 60

11.2.2 Multi Server Installation ............................................................................................ 75

12 SMS PASSCODE® Configuration........................................................................................... 98

12.1 Web Administration Interface .......................................................................................... 99

12.1.1 Starting the Web Administration Interface ................................................................. 99

12.1.2 Maintaining Users ................................................................................................... 103

12.1.3 Importing Users ...................................................................................................... 110

12.1.4 Transmitter Hosts ................................................................................................... 111

12.1.5 Load Balancing Hosts ............................................................................................. 112

12.1.6 GSM Modems ........................................................................................................ 114

12.1.7 GSM Modem Groups .............................................................................................. 118

12.1.8 Load Balancing Policies ......................................................................................... 122

12.1.9 Modem Monitoring .................................................................................................. 137

12.1.10 General Settings ..................................................................................................... 139

12.1.11 Passcode Settings .................................................................................................. 140

12.1.12 Active Directory Integration Settings ....................................................................... 142

12.1.13 Maintaining License Information ............................................................................. 151

12.2 Importing and Synchronizing Users from other Data Sources ....................................... 152

12.3 Configuring Citrix Web Interface Protection .................................................................. 153

12.4 Configuring RADIUS Protection .................................................................................... 154

12.4.1 Configuring RADIUS Protection on Windows Server 2003 ..................................... 154

12.4.2 Configuring RADIUS Protection on Windows Server 2008 ..................................... 162

12.4.3 Advanced Configuration of the RADIUS Protection Component ............................. 171

12.4.4 RADIUS Forwarding ............................................................................................... 183

12.5 Configuring ISA/TMG Web Site Protection .................................................................... 198

12.6 Configuring IIS Web Site Protection .............................................................................. 203

12.6.1 ISAPI Filter ............................................................................................................. 203

12.6.2 ISAPI Filter Configuration File ................................................................................ 203

12.6.3 The IsapiAdmin Tool ............................................................................................... 204

12.6.4 ISAPI Filter Configuration File Syntax ..................................................................... 208



12.7 Configuring Windows Logon Protection ........................................................................ 212

12.7.1 Windows Logon User Exclusion Groups ................................................................. 212

12.7.2 Windows Logon Lock Time ..................................................................................... 213

12.7.3 RDP Listener Exclusion .......................................................................................... 214

12.7.4 Credential Provider Filtering ................................................................................... 217

12.7.5 GINA Chaining ....................................................................................................... 218

12.8 Configuring CAGAE Protection ..................................................................................... 218

12.8.1 Protecting and Unprotecting Logon Points .............................................................. 218

12.8.2 Redundant CAGAE Setup ...................................................................................... 223

12.8.3 Uninstalling CAGAE Protection .............................................................................. 226

12.9 Configuration Tool ........................................................................................................ 226

12.9.1 Command line arguments....................................................................................... 229

13 Add/Remove Components ................................................................................................... 231

14 Troubleshooting ................................................................................................................... 232

14.1 SMS Transmission Problems ........................................................................................ 232

14.2 Error message “No mobile number for user” During Authentication .............................. 233

14.3 Component Communication Problems in a Multi Server Setup ..................................... 236

14.4 Active Directory Integration does not Work as Expected ............................................... 238

© 2010 SMS PASSCODE A/S. SMS PASSCODE is a registered trademark of SMS PASSCODE

A/S. All other trademarks are the property of their respective owners.



1 INTRODUCTION

This document describes how to install, configure and administer SMS PASSCODE® version 4.0.

2 NOTATION

Shorthand Description

AD Active Directory

CAE Citrix Access Essentials

CAG Citrix Access Gateway

CAGAE Citrix Access Gateway Advanced Edition

IAG Microsoft Intelligent Application Gateway

IAS Internet Authentication Service: Optional component on a Windows Server 2003. This component is the Microsoft implementation of a RADIUS server.

IIS Internet Information Server: Optional component/role on a Windows Server 2003/2008

ISA Internet Security and Acceleration Server. A Microsoft security gateway server.

Machine This is a general term used to denote a server or a workstation.

memoPasscodes™ memoPasscodes™ refers to a new SMS PASSCODE innovation making codes easier to memorize during authentication.

NPS Network Policy Server: Optional Role on a Windows Server 2008. This Role is the Microsoft implementation of a RADIUS server.

OWA Microsoft Outlook Web Access

RD Remote Desktop

RDS Microsoft Remote Desktop Services



Shorthand Description

SMS PASSCODE® authentication client One of the SMS PASSCODE® components Citrix Web Interface Protection, RADIUS Protection, IIS Web Site Protection, ISA/TMG Web Site Protection, Windows Logon Protection or Citrix Access Gateway Advanced Edition Protection, i.e. one of the components responsible for authentication for a specific type of client.

SMS PASSCODE® core component One of the SMS PASSCODE® components Database Service, Web Administration Interface, Transmitter Service or Load Balancing Service.

TMG Thread Management Gateway. A Microsoft security gateway server (the successor of the Microsoft ISA Server)

TS Microsoft Terminal Service

UAG Microsoft Unified Application Gateway (the successor of the Microsoft Intelligent Application Gateway)

WAI SMS PASSCODE® Web Administration Interface



3 NEW FEATURES

This section summarizes the most important new features in SMS PASSCODE® version 4.0.

3.1 ISA/TMG Web Site Protection

Previously, SMS PASSCODE® contained a component called Web Site Protection that offered

protection of IIS web sites using SMS PASSCODE® authentication. SMS PASSCODE® 4.0

introduces a new component which offers protection of web sites published through a Microsoft

ISA Server 2006 or Microsoft TMG 2010. This new type of protection performs SMS PASSCODE®

authentication directly on the ISA/TMG server, before the authenticated user is forwarded to the

web server.

To differentiate these two types of protection, the former Web Site Protection component has been

renamed IIS Web Site Protection. The new component is called ISA/TMG Web Site Protection.

3.2 Windows Logon Protection

Previously, SMS PASSCODE® offered Windows Logon Protection on Windows XP and

Windows Server 2003. Protection of Windows Logon on Windows Vista and later was not

supported because Microsoft changed the Windows Logon architecture completely starting from

Windows Vista by introducing the so-called Credential Provider architecture.

SMS PASSCODE® 4.0 includes a custom credential provider that offers Windows Logon

protection on Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.

This means that SMS PASSCODE® Windows Logon Protection is now supported on all newer

Microsoft operating systems.

SMS PASSCODE® Windows Logon Protection is useful in several scenarios. Examples:

Protecting administrators’ RDP access to critical servers

Protecting RDP access to Terminal Servers / Remote Desktop Servers1

Protecting RDP access to virtual workstations, e.g. VMware View and XenDesktop

workstations

The Windows Logon Protection component now also supports RDP Listener exclusion. This

means that when you have multiple RDP listeners on a machine you can now apply SMS

PASSCODE® authentication to selected RDP listeners only. E.g. if you have two RDP listeners,

one for internal and one for external access, respectively, then you can apply SMS PASSCODE®

authentication to the external RDP access only.

3.2.1 VMware View Protection

SMS PASSCODE® 4.0 introduces a first-of-brand solution for protecting VMware View virtual

clients using an SMS based two-factor authentication system.

1 In case SMS PASSCODE

® authentication has not been applied to a TS/RD Web Access site



3.3 Citrix Web Interface Protection

The Citrix Web Interface Protection component has been updated and now also supports Citrix

Web Interface 5.3.

3.4 memoPasscodes™

SMS PASSCODE® 4.0 introduces a brand new type of passcodes called memoPasscodes™.

memoPasscodes™ are a special type of random passcodes that are easier to memorize for the

users. This makes authentication more convenient for users without compromising security (the

number of possible random codes is still enormous).

3.5 Terminal Service / Remote Desktop Protection

3.5.1 TS/RD Web with Form-Based Authentication

When using a Terminal Service (TS) / Remote Desktop (RD) Web Access site for accessing

TS/RD session host servers remotely, you have two options for protection the site with SMS

PASSCODE® authentication:

Protect the TS/RD Web Access site directly on the IIS by installing SMS PASSCODE® IIS

Web Site Protection on the server hosting the TS/RD Web Access site.

If the TS/RD Web access site has been published through an ISA/TMG server using a Web

Listener:

Protect the TS/RD Web Access site by installing the SMS PASSCODE® ISA/TMG Web

Site Protection on the ISA/TMG server.

In both cases, SMS PASSCODE® authentication supports Form-Based authentication in a fully

integrated way. However, please note that Form-Based authentication directly on the IIS is not

supported by RD Web Access prior to Windows Server 2008 R2.

3.5.2 RD Web with Single Sign-on

When running RD Web Access on a Windows Server 2008 R2, the RD Web Access site can be

configured to use single sign-on (SSO).

This SSO feature is supported by the SMS PASSCODE® IIS Web Site Protection component.

If you are planning to make use of SSO, please, prior to applying SMS PASSCODE® IIS Web Site

Protection to the RD Web Access site ensure that SSO works without SMS PASSCODE®

authentication.



3.6 Configuration Tool

The SMS PASSCODE® Configuration Tool has been extended considerably. This tool now also

offers the following features:

Configuration of all RADIUS protection settings using a graphical user interface

Configuration of all Windows Logon protection settings using a graphical user interface

Exporting all settings to a file

Importing all settings from a file

Performing import/export from a command line (BAT-file / script)

4 FEATURE OVERVIEW

SMS PASSCODE® is a versatile two-factor authentication system with an extensive list of great

features. This section gives an overview of the most important features.

4.1 Authentication Clients

SMS PASSCODE® provides comprehensive protection for a broad range of authentication clients.

The following clients are currently supported:

Citrix Web Interface

RADIUS clients

Supported are:

Checkpoint

Cisco

Citrix Access Gateway

Juniper

Microsoft Intelligent/Unified Application Gateway (IAG/UAG)

Microsoft SharePoint Portal Server2

Any other RADIUS client supporting challenge/response

SMS PASSCODE® designed clients such as the Citrix Receiver for iPhone

ISA/TMG Web Sites

Supports protection of web sites that have been published through a Microsoft ISA/TMG

server using a Web Listener, e.g.:

Outlook Web Access 2003 / 2007 / 2010

Terminal Service Web Access (Windows Server 2008)

Remote Desktop Web Access (Windows Server 2008 R2)

Microsoft SharePoint Portal Server

IIS web sites using Basic or Integrated Windows Authentication

2 Protection of SharePoint Portal Server using RADIUS is only supported, if the SharePoint Portal server is

published through an Application Gateway, which will ensure that the user is only requested to authenticate once during the initial logon. E.g. using the Microsoft IAG/UAG, Citrix Access Gateway Enterprise Edition or Juniper SA, all configured to use persistent cookies.



Any web site not requiring any pass-through authentication

(authentication delegation).

Internet Information Server (IIS) Web Sites

Supports protection of the following types of IIS web sites:

Outlook Web Access 2003 / 2007 / 2010

Terminal Service Web Access (Windows Server 2008)

Remote Desktop Web Access (Windows Server 2008 R2)

IIS Web Sites using Basic or Integrated Windows Authentication

Windows Logon

Protection of:

Terminal Service (RDP Connections)

Windows servers

Windows workstations

Logon Points of Citrix Access Gateway Advanced Edition

SMS PASSCODE® is fully integrated into all supported authentication clients. No extra user

actions are necessary to trigger the transmission of passcodes – the authentication is very intuitive,

which makes user training unnecessary.



4.2 Security

SMS PASSCODE® provides improved security from several aspects. From a technical point of

view, SMS PASSCODE® provides these important security features:

Strong authentication security with protection against modern internet threats such as

advanced Phishing-attacks, because passcodes are:

o Session-specific (opposite to hardware-token based solutions!)

o Challenge-based

o Time-constrained

Cryptographically strong random passcodes are generated using FIPS-140 validated

crypto modules

Configurable passcode length, complexity and lifetime

Strong encryption

o Build-in 256bit AES encryption of all network communication

Brute force attack protection

o Automatic lockout of users on consecutive incorrect passcode entries

Denial-of-service attack protection

From a user perspective, SMS PASSCODE® provides increased security compared to e.g.

traditional hardware-token based solutions due to:

High user awareness of stolen or lost cell phone means shorter period before counter-

actions are taken.

High user awareness of the need to block SIM card of stolen or lost cell phone to prevent

misuse, which implies lock down of access using SMS PASSCODE®.

Users can lock their stolen or lost cell phone (SIM card) themselves – meaning faster

reaction and shorter period of security breach.

4.3 Installation

Installation of SMS PASSCODE® is very simple, since SMS PASSCODE® is an “out-of-the-box”

end-to-end solution containing all necessary software and hardware. Simply connect the included

GSM modem(s) to your servers, install the software, and you are ready.

The component architecture of SMS PASSCODE® offers maximum flexibility of installation,

allowing distribution of SMS PASSCODE® components according to your specific needs.

Unlike traditional hardware-token based solutions, SMS PASSCODE® works without distribution of

any hardware-tokens. As a result, the logistic overhead involved is minimal and roll-out is

much faster. You can get SMS PASSCODE® up and running with thousands of users within

minutes. Just extract all cell phone numbers from your Active Directory or import them from a

comma-separated file.



4.4 Administration

The daily administration of SMS PASSCODE® is simple due to:

No logistic overhead regarding administration and distribution of hardware-tokens.

No need to involve IT personnel in the event of a lost cell phone, since users will quickly

discover the loss and act on own impulse to block the SIM card.

Additionally SMS PASSCODE® includes an excellent Active Directory Integration feature that

allows administration of SMS PASSCODE® users in your Active Directory. The list of AD

Integration features are:

Works “out-of-the-box”. No schema extension of your AD is needed!

Supports both LDAP and Global Catalog lookups.

Supports extraction of users from multiple separate AD Domains.

Supports nested groups including groups from child domains and trusted domains.

Configurable AD attribute containing the users’ cell phone numbers.

You can even specify a prioritized list of attributes.

4.5 Enterprise Environment Support

Failover and scalability is very important in enterprise environments. SMS PASSCODE® provides

failover and scalability on all levels thus providing unmatched support for enterprise

environments:

Database level:

Each SMS Transmitter service and Load Balancing service cache all data locally –

meaning independence of backend database and high scalability. I.e. system operation is

maintained even in the event that the backend database is down.

Transmitter level:

A load balancing service provides intelligent distribution of all incoming requests to many

SMS transmitter services, thereby providing full failover and load balancing between all

SMS transmitter services. I.e. system operation is maintained even in the event that a

transmitter service is down. An unlimited number of transmitter services are supported.

GSM Modem level:

Each transmitter supports a modem pool containing up to 32 GSM modems, thereby

providing full failover and load balancing between all modems in a pool. I.e. system

operation is maintained even in the event of a GSM modem being down. If SIM cards from

different carriers are used, then you can even obtain failover on the GSM service provider

level.

Authentication client level:

Each authentication client may forward incoming requests to several SMS transmitter

services or load balancing services. I.e. system operation is maintained even in case some

of the transmitter services or load balancing services are down. An unlimited number of

transmitter services and load balancing services are supported.



Additionally, using Modem Groups and Load Balancing Policies it is possible to control the load

balancing of SMS messages across all modems at a granular level. Since the Load Balancing

Policies are very flexible, the number of possibilities is enormous. Some examples of the usage

are:

Prefix load balancing: Group modems according to the country where they are located.

Preferable send SMS messages from GSM modems with SIM cards having the same

mobile number prefix as the receiver.

GSM service provider failover: Group modems according to the GSM service provider of

the SIM cards. Preferable send SMS messages using a selected GSM service provider, but

use another one for failover (e.g. automatically send another passcode using a second

service provider if the first passcode could not be sent or was not entered within a specified

time limit).

GSM receiver failover: Allocate both a primary and a secondary cell phone number to

some users. Automatically send another passcode to the secondary cell phone if the first

passcode could not be sent or was not entered within a specified time limit.

This clearly demonstrates that SMS PASSCODE® has been designed and built with even the most

demanding enterprise environments in mind.



5 COMPONENTS

SMS PASSCODE® is composed of the following software components:

Component Description

Database Service Database for storing all SMS PASSCODE® user data and configuration data.

Web Administration Interface Web site for maintaining SMS PASSCODE® user data and configuration data.

Transmitter Service Service responsible for communication with GSM modems and validation of SMS PASSCODE® logons. Handles load balancing and failover between all GSM modems connected to the service.

Load Balancing Service Service responsible for handling load balancing and failover between all Transmitter services. This optional service is recommended for enterprise multi server installations where multiple Transmitter services are present. It should only be installed in the following cases: 1) advanced failover and load balancing of SMS messages between all Transmitter services is required, or 2) the usage of Load Balancing Policies is required.

Citrix Web Interface Protection

Integrates SMS PASSCODE® with Citrix Web Interface providing SMS PASSCODE® authentication for Citrix Web Interface users. It is optionally possible to run the Citrix Web Interface protection side-by-side with hardware-token based two-factor authentication systems, e.g. RSA SecurID® or SafeWord®. Both AD and NDS authentication is supported.




RADIUS Protection Integrates with RADIUS systems providing SMS PASSCODE® authentication for RADIUS clients. It is optionally possible to run this integration side-by-side with other RADIUS authentication systems, e.g. hardware-token based two-factor authentication systems. When using Windows Server 2003, RADIUS protection is provided by means of an extension for the Microsoft Internet Authentication Service (IAS). When using Windows Server 2008, RADIUS protection is provided by means of an extension for the Microsoft Network Policy Server (NPS). Besides VPN systems the RADIUS protection component is also useful for protecting access to Microsoft SharePoint Portal servers using application gateways, e.g. using Microsoft Intelligent Application Gateway, Microsoft Unified Application Gateway, Citrix Access Gateway Enterprise Edition or Juniper SA.

ISA/TMG Web Site Protection Integrates SMS PASSCODE® with Microsoft ISA/TMG Server, providing SMS PASSCODE® authentication for web sites directly on an ISA/TMG Server. The web sites are required to be

published through the ISA/TMG server using a Web Listener. Currently the following types of web sites are supported:

Microsoft Outlook Web Access 2003 / 2007 / 2010

Microsoft Terminal Service Web Access (TS Web Access)

Microsoft Remote Desktop Web Access (RD Web Access)

Microsoft SharePoint Portal Server

IIS web sites using Basic or Integrated Windows Authentication

Any web site not requiring any pass-through authentication (authentication delegation)

SMS PASSCODE® authentication can be enabled/disabled for each specific Web Listener in the ISA/TMG server. ISA/TMG Web Site protection is provided by means of an ISA/TMG filter.




IIS Web Site Protection Integrates SMS PASSCODE® with Microsoft Internet Information Server (IIS) providing SMS PASSCODE® authentication for IIS Web Sites. Currently the following types of Web Sites are supported:

Microsoft Outlook Web Access 2003 / 2007 / 2010

Microsoft Terminal Service Web Access (TS Web Access)

Microsoft Remote Desktop Web Access (RD Web Access)

IIS Web Sites using Basic or Integrated Windows Authentication

SMS PASSCODE® authentication can be enabled/disabled for each specific IIS web site – it is even possible to configure different settings for specific URL’s and/or specific client IP addresses. IIS Web Site protection is provided by means of an ISAPI filter.

Windows Logon Protection

Integrates SMS PASSCODE® with Windows Logon, thereby providing SMS PASSCODE® authentication for users logging on Windows. This is for example useful for protecting Microsoft Terminal Service / Remote Dekstop server environments, or VMware View virtual clients.

SMS PASSCODE® authentication can be enabled/disabled for each specific RDP Listener.

Windows Logon integration is provided by means of a custom GINA (Windows XP and Windows Server 2003) and a custom

Credential Provider (Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2).

Citrix Access Gateway Advanced Edition Protection

Integrates SMS PASSCODE® with CAGAE, thereby providing SMS PASSCODE® authentication for CAGAE logon points. SMS PASSCODE® authentication can be enabled/disabled for each specific logon point. CAGAE integration is provided by means of an HTTP Module.

The components Database Service, Web Administration Interface and Transmitter Service are

required components – i.e. they must always be present in an SMS PASSCODE® installation. The

remaining components are optional.

The term SMS PASSCODE® core component is used in the subsequent sections of this

documentation to denote one of the components: Database Service, Web Administration

Interface, Transmitter Service or Load Balancing Service.



The term SMS PASSCODE® Authentication client is used in the subsequent sections of this

documentation to denote one of the components: Citrix Web Interface Protection, RADIUS

Protection, ISA/TMG Web Site Protection, IIS Web Site Protection, Windows Logon

Protection or Citrix Access Gateway Advanced Edition Protection.



6 SYSTEM REQUIREMENTS

In this section the system requirements are listed for each SMS PASSCODE® software component

(cf. section 5).

Please note: All SMS PASSCODE® components require the Microsoft .NET 3.5 SP1

Framework, but you do not have to install it beforehand. The SMS PASSCODE® installation will

detect whether the Microsoft .NET 3.5 SP1 Framework is missing – and will automatically

download and install it if necessary.

Component Requirement

Database Service Supported operating systems:

Windows Server 2003 (x86/x64)

Windows Server 2008 (x86/x64)

Windows Server 2008 R2 (x64)

If you are planning to enable the Active Directory Integration feature, it is recommended to install this component on a domain member server or a domain controller.

Web Administration Interface

Supported operating systems: o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)

IIS 6.0 or 7.0/7.5 required

It is recommended to install this component on the same server as the Database Service component.

Transmitter Service


An unused serial port3 (COM port) for each GSM modem.

An active SIM card for each GSM modem in use.

Load Balancing Service


3 If the server does not have a free serial port, you may use a serial port server instead. When using this

solution, you map a virtual serial port on the computer to a serial port on a device, which is connected to the network. SMS PASSCODE

® has been tested with serial port servers (“Terminal Servers”) from Moxa

(http://www.moxa.com/Zones/Serial_to_Ethernet). It is recommended to use secure serial port servers, which encrypt the network communication (e.g. Moxa Nport 6000 series). It is also advantageous to use serial port servers in case you need to connect a lot of GSM modems to the same computer, since serial port servers with many serial ports are available. Moxa also offers a serial port server with an integrated GSM modem. This device is called Moxa OnCell (http://www.moxa.com/Product/OnCell_G3110_G3150.htm). If you plan to use a Moxa Oncell device, please contact [email protected] to get a detailed installation guide, how to set it up correctly with SMS PASSCODE

®.

http://www.moxa.com/Zones/Serial_to_Ethernet

http://www.moxa.com/Product/OnCell_G3110_G3150.htm

mailto:[email protected]






You must install Citrix Web Interface on the server and publish at least one Web Interface before installing this component. The following Citrix Web Interface versions are supported on Windows Server 2003:

o Citrix Web Interface 4.0, 4.2, 4.5 and 4.6 o Citrix Web Interface 5.0, 5.0.1, 5.1.1, 5.1.2, 5.2.0 and 5.3.0. o Citrix Access Essentials 1.x o Citrix Access Essentials 2.0

The following Citrix Web Interface versions are supported on Windows Server 2003 x64:

o Citrix Web Interface 4.5 and 4.6 o Citrix Web Interface 5.0, 5.0.1, 5.1.1, 5.1.2, 5.2.0 and 5.3.0. o Citrix Access Essentials 2.0

The following Citrix Web Interface versions are supported on Windows Server 2008 x86, Windows Server 2008 x64 and Windows Server 2008 R2 x64:

o Citrix Web Interface 5.0, 5.0.1, 5.1.1, 5.1.2, 5.2.0 and 5.3.0.

AD and NDS authentication is supported. Please note: The SMS PASSCODE

® installation will automatically patch Citrix

Web Interface version 4.0/4.2 and CAE 1.x, thereby ensuring that the Citrix Access Suite Console will work correctly together with the Microsoft .NET 2.0/3.5 Framework. The patch is described here:

http://support.citrix.com/article/CTX109099







RADIUS Protection


Please note: Windows Server 2003 Web Edition and Windows Server 2008 Web Edition are not feasible because IAS/NPS is not part of these editions.

Windows Server 2003: Internet Authentication Service (IAS) must be installed before installing this component.

Windows Server 2008: Network Policy Service (NPS) must be installed before installing this component.

Supported RADIUS clients: All RADIUS clients that support the PAP authentication protocol. The best user experience is achieved using RADIUS clients that support PAP with Challenge Response. Among others the following RADIUS clients support Challenge Response:

o Juniper SSL VPN o Fortigate SSL VPN o Cisco PIX 5XX

min. Cisco VPN client 4.84 (PC)

min. Cisco VPN client 4.9 (MAC) o Cisco ASA 5XXX

min. Cisco VPN client 4.8 (PC) min. Cisco VPN client 4.9 (MAC)

o Cisco VPN Concentrator 3000 min. Cisco VPN client 4.8 (PC) min. Cisco VPN client 4.9 (MAC)

o Check Point FW-1/VPN-1 NG/FP3 Check Point VPN-1 SecuRemote Connection Client

o Citrix Access Gateway5

Standard Edition (min. ver. 4.5) Enterprise Edition

o Microsoft Intelligent/Unified Application Gateway (IAG/UAG) o WatchGuard Firebox

WatchGuard Windows VPN Client

Please contact your SMS PASSCODE® reseller or

[email protected] for further information regarding supported RADIUS clients.

ISA/TMG Web Site Protection

Supported scenarios: o Windows Server 2003 x86 with Microsoft ISA Server 2006

installed. o Windows Server 2008 x64 with Microsoft TMG 2010 installed. o Windows Server 2008 R2 x64 with Microsoft TMG 2010 installed.

4 Please note, that versions 5.0.00.x - 5.0.01.x had problems with the RADIUS challenge/response

implementation. You must upgrade to a newer version of the Cisco VPN client 5.x. 5 Please note, that Citrix Access Gateway Advanced Edition does NOT currently support Challenge

Response. However, the CAGAE Protection component is used in this case.





IIS Web Site Protection


IIS 6.0, 7.0 or 7.5 required

Windows Logon Protection

Supported operating systems: o Windows XP (x86/x64)

6

o Windows Server 2003 (x86/x64)

o Windows Vista (x86/x64)6

o Windows 7 (x86/x64)6

o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)

Terminal Service / Remote Desktop is supported


Supported operating system: Windows Server 2003 x86

IIS 6.0 required

You must install the Advanced Access Control software for Citrix Access Gateway Advanced Edition, version 4.5 before installing this component.

IMPORTANT: Hotfix AAC450W001 for Citrix Advanced Access Control 4.5 is NOT supported. Please upgrade to a newer hotfix, i.e. AAC450W002 or later.

6.1 Terminal Service / Remote Desktop Service Protection

Access to Terminal Services or Remote Desktop Services can be protected by SMS PASSCODE®

authentication in several ways.

Windows Server 2003: When using Terminal Services on Windows Server 2003, please

install the SMS PASSCODE® Windows Logon Protection component on each Terminal

Service host requiring SMS PASSCODE® protection.

Windows Server 2008 (R2): When using Terminal Services / Remote Desktop Services on

Windows Server 2008 (R2) you have three options to implement SMS PASSCODE®

authentication:

1. Protecting a TS / RD Web Access site directly on the IIS:

Install the SMS PASSCODE® IIS Web Site Protection component on the server

hosting the TS / RD Web Access site. It is mandatory, that the TS / RD Web Access

site and the TS / RD Gateway site are installed on the same IIS. If the RD Web Access

site is hosted on a Windows Server 2008 R2, then form-based authentication and single

sign-on (SSO) is supported.

6 It is not recommended to install Windows Logon Protection on laptops because SMS PASSCODE

® logon

is only possible when the laptop is able to connect to a SMS PASSCODE® Transmitter Service. Since this

connection is typically established via the network, the laptop may lose its connection to the Transmitter service when it is undocked – and thereby prohibit user authentication.



2. Protecting a TS / RD Web Access site that has been published through an ISA/TMG

Server using a Web Listener:

Install the SMS PASSCODE® ISA/TMG Web Site Protection component on the

ISA/TMG server and enable SMS PASSCODE® authentication on the Web Listener

used to publish the TS / RD Web Access site. Single sign-on is not supported in this

case7.

3. Protecting Windows Logon on all TS / RD session host servers:

Install the SMS PASSCODE® Windows Logon Protection component directly on each

Terminal Service / Remote Desktop Service session host requiring SMS PASSCODE®

protection.

Please refer to section 9.2.3 (page 44) for more setup details regarding cases 1 and 2, which use

the TS / RD Web Access site.

6.2 SharePoint Portal Server Protection

SMS PASSCODE® supports protection of Microsoft SharePoint Portal Server (version 2003 and

newer). Please refer to section 9.2.5 (page 54) for more details regarding SharePoint Portal server

protection.

6.3 Citrix iPhone Receiver Protection

This section describes the prerequisites to use SMS PASSCODE® authentication when using the

Citrix iPhone Receiver 2.0.

One or more dedicated RADIUS servers are required to authenticate Citrix iPhone Receiver clients

because of the special format the SMS passcode should be send in.

One or more Citrix Access Gateways (Standard Edition or Enterprise Edition) are also required.

Please follow the procedure below to set up Citrix iPhone Receiver protection:

1. Install and configure one or more dedicated RADIUS servers, i.e. Windows servers with the

IAS/NPS service installed. Please read sections 9.2.1 (page 41) and 9.2.2 (page 43)

regarding installation of the IAS and NPS service, respectively.

2. On each RADIUS server add the Citrix Access Gateway (Standard or Enterprise Edition) as

a normal RADIUS client.

3. Configure the Citrix Access Gateway(s) and iPhones to allow a standard authentication

without SMS PASSCODE® authentication (set the iPhone to “Domain Only” authentication).

Please read the documentation from Citrix regarding this.

4. Now install the SMS PASSCODE® RADIUS Protection component on each RADIUS server

that was installed in step 1.

7 This is not a restriction due to SMS PASSCODE

®. Single sign-on is not possible with RD Web Access in

general when the site is configured to use Basic or Integrated Windows Authentication (which is required when publishing the site through an ISA/TMG Server using a Web Listener).



5. On each RADIUS server start the SMS PASSCODE® Configuration Tool and add the IP

address(es) of the Citrix Access Gateway(s) to the Clients not supporting challenge

packets setting. This setting is located on the Miscellaneous tab, which is located on the

RADIUS Client Protection tab:

Remember to save the settings and restart the IAS/NPS service.

6. On each server with the SMS PASSCODE® Transmitter service installed, configure the

Transmitter service to send all SMS PASSCODEs requested from the dedicated RADIUS

server(s) in a special iPhone format. This is achieved by creating a new MULTI_STRING

value named TrIPhoneAuthenticationServers below the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\SMS PASSCODE

on each Transmitter server. Add the hostname(s) of the dedicated RADIUS server(s) to the

registry value.

7. Restart each Transmitter service.



8. Verify that an iPhone can now authenticate using SMS PASSCODE® authentication.

Configure the iPhone to use “SMS Authentication” and ensure that the Receiver client is

closed before attempting a new login.



The end-user workflow on the iPhone should be like this:

1. Start the Citrix iPhone Receiver.

2. Enter your credentials and click the OK button:

3. The following message appears:



4. After a short period an SMS PASSCODE is received. Click the Reply button:

5. Click the passcode link in the reply message:

This will automatically transfer the one-time-passcode to the Citrix Receiver application.



6. The authentication is now complete and the published XenApp applications are displayed:

7 HARDWARE – GSM MODEMS

When acquiring an SMS PASSCODE® license you always start with the acquisition of the SMS

PASSCODE® starter pack. This starter pack includes the first user licenses (CALs) and a modem

license.

If you would like to use more modems in your SMS PASSCODE® solution to support failover or

extended scalability, then you must acquire an additional modem license for each modem.

Both, the SMS PASSCODE® starter pack and each additional modem license, include a modem

pack. Each modem pack includes the following hardware:

A Cinterion8 (former Siemens) GSM modem.

Power supply for the modem.

Serial cable for the modem.

Antenna for the modem.

In short: SMS PASSCODE® includes all hardware necessary to send SMS from a server.

IMPORTANT: SMS PASSCODE® does NOT include an active SIM card for each GSM modem.

You must acquire a SIM card for each GSM modem yourself. SIM cards protected by a PIN code

are supported by SMS PASSCODE®.

8 INFRASTRUCTURE

SMS PASSCODE® is composed of various software components (cf. section 5) which can

communicate with each other across the network. This provides great flexibility regarding the

8 SMS PASSCODE

® supports the Cinterion MC35i, MC52i, MC55i, TC65 and MC75 modems.



distribution of the components on different severs which enables optimizing the SMS PASSCODE®

installation to your specific server infrastructure.

Since you can distribute the SMS PASSCODE® components in almost any way you like, there are

a huge number of possible installation scenarios. The possibilities span from the very simple

installation case, where all components are installed on the same server (Single Server

Installation), to the advanced “total distribution” installation case, where all components are

distributed onto different machines. A lot of other scenarios exist between these two extremes –

you can install some components together on a machine while other components are installed

individually on other machines.

The purpose of this section is to show selected network diagrams that illustrate different “sample”

SMS PASSCODE® installation scenarios. This is primarily intended for readers who would like to

perform a more advanced, multi server installation of SMS PASSCODE®. If you have already

decided to install all components on the same server, then you can skip this section and choose

Single Server Installation during the installation.

Active Directory Integration and Multi Server Installation

When using Active Directory Integration in single domain mode, it is recommended to install

the Database Service component on a domain member server or a domain controller. I.e. when

planning for a Multi Server Installation with some components being installed in a DMZ you will

typically locate the Database Service on the LAN side of the firewall.

8.1 Component Communication

The communication between SMS PASSCODE® components is handled differently depending on

whether all components are installed on the same server (Single Server Installation) or distributed

to several machines (Multi Server Installation).

In a Single Server Installation scenario all components communicate directly with each other

without involving the network9.

In a Multi Server Installation scenario the components communicate via the network.

Communication takes place using the TCP/IP protocol – all network messages are encrypted. SMS

PASSCODE® uses the different TCP ports described below:

9 In this case Inter-Process Communication (IPC) is used. No TCP port conflicts can occur in this case,

except in case of the Web Administration Interface, which will always use a TCP port (port 2000 by default)



Component Incoming Outgoing

Database Service Listens by default on the two TCP ports 9090 and 9091

Communicates with all Transmitter services (TCP port 8989)

Communicates with all Load Balancing services (TCP port 8988), if any installed

Communicates with one or more Domain Controllers, in case Active Directory Integration has been enabled (using LDAP or Global Catalog)


Listens by default on TCP port 2000

Communicates with the Database service (TCP port 9091)

Communicates with Transmitter services (TCP port 8989), when sending any test SMS and no Load Balancing service is in use

Communicates with Load Balancing services (TCP port 8988), when sending any test SMS and any Load Balancing service is in use

Transmitter Service Listens by default on TCP port 8989


Load Balancing Service Listens by default on TCP port 8988


Communicates with all Transmitter services (TCP port 8989)

SMS PASSCODE®

Authentication clients - Depending on the configuration, communicates

with either:

a list of Transmitter services (TCP port 8989)

-- or --

a list of Load Balancing services (TCP port 8988)

The usage of the different TCP ports during component communication is also illustrated using

network diagrams in the following sections (e.g. the network diagram in section 8.6, page 37, gives

a good overview).

You can change the default TCP ports during Multi Server Installation (or afterwards), in case they

are in conflict with other applications.



8.2 Single Server Installation

The simplest form of SMS PASSCODE® installation is called Single Server Installation. The

following (required) components are always installed during this type of installation:

Database Service


Transmitter Service

The remaining components are optional (except the Load Balancing service which cannot be

installed during a Single Server Installation).

Server can optionally

be placed in DMZ

Active Directory

Server

GSM Modem(s)

Firewall

LAN

INTERNET CLIENT

SMS PASSCODE® Database Service

SMS PASSCODE® Web Administration Interface

SMS PASSCODE® Transmitter Service

SMS PASSCODE® Citrix Web Interface Protection (optional)

SMS PASSCODE® RADIUS Protection (optional)

SMS PASSCODE® ISA/TMG Web Site Protection (optional)

SMS PASSCODE® IIS Web Site Protection (optional)

SMS PASSCODE® Windows Logon Protection (optional)

SMS PASSCODE® CAGAE Protection (optional)

serial

SMS PASSCODE®

Server

AD Sync.

(optional)



8.3 Multi Server Installation – Citrix Web Interface

In this section a Multi Server Installation example with several Citrix Web Interface servers is

shown. A possibility in this case is to install the Citrix Web Interface Protection component on

each Citrix Web Interface server and to install the Database Service, Web Administration

Interface and Transmitter Service components on a different server:

GSM Modem(s)

Citrix Web Interface Server

SMS PASSCODE® Citrix Web Interface Protection



SMS PASSCODE® Server




Active Directory Server



Firewall

LAN DMZ

Citrix Presentation

Server farm

AD Sync.

(optional)

TCP 8989

TCP

8989



For failover reasons it would be better to have several Transmitter Service components installed.

In this case, if any Transmitter service would become unavailable for some reason, then each

Citrix Web Interface server can communicate with another Transmitter service. You can install as

many Transmitter services as you like. The example below illustrates the usage of two Transmitter

services:

GSM Modem(s)

GSM Modem(s)





SMS PASSCODE® Database Server







Firewall

LAN DMZ

Citrix Presentation

Server farm

AD Sync.

(optional)

TCP 8989

TCP 9090

SMS PASSCODE® Failover server


TCP 8989

TCP

8989



When using several Transmitter services, each Citrix Web Interface server will communicate with

the Transmitter services according to a prioritized list, i.e. failover without load balancing is

provided. If you wish to have real load balancing between the Transmitter services (or if you wish

to make use of Load Balancing Policies), then you must also install the optional Load Balancing

service. You can install any number of Load Balancing services (to have failover on this level as

well). The example below illustrates the usage of two Load Balancing services:

GSM Modem(s)

GSM Modem(s)








SMS PASSCODE® Load Balancing Service





Firewall

LAN DMZ

Citrix Presentation

Server farm

AD Sync.

(optional)

TCP 8988

TCP 8989

TCP 9090

SMS PASSCODE® Failover server

SMS PASSCODE® Load Balancing Service


TCP 8988

TCP 8989

TCP

8988



8.4 Multi Server Installation – RADIUS Clients

In this section a Multi Server Installation example is shown with SMS PASSCODE® being used for

RADIUS authentication. Whereas a possibility is to install all necessary SMS PASSCODE®

components on the RADIUS server itself, the example below illustrates another scenario where the

RADIUS Protection component is installed on the RADIUS server and the remaining components

are installed on a separate server:


LAN

Cisco

SMS PASSCODE® Server

GSM Modem(s)

Radius

UDP 1812

UDP 1645

Juniper

Cisco VPN

Client

Juniper

Client

Internet

RADIUS Server

MS IAS or MS NPS

SMS PASSCODE® RADIUS Protection

Citrix Access Gateway

(Standard or Enterprise Edition)

CAG Client

AD Sync.

(optional)

Radius

UDP 1812

UDP 1645

TCP 8989






8.5 Multi Server Installation – Enterprise Setup

SMS PASSCODE® supports enterprise environments with 24x7 uptime demands. This is achieved

by supporting failover on all levels of the SMS PASSCODE® infrastructure:

Failover on the database level:

The Database service continuously pushes all data changes to all Transmitter services and

Load Balancing services. All data is cached locally which means that all Transmitter

services and Load Balancing services have access to all data even in case the Database

service becomes unavailable.

Failover on the Transmitter service level:

Starting from SMS PASSCODE® version 3.0, failover on the transmitter level can be

achieved in two different ways:

o Failover without Load Balancing service(s): Prior to SMS PASSCODE® version

3.0, the usage of the SMS PASSCODE® Load Balancing service was mandatory to

obtain failover between Transmitter services. Please notice that this is not the case

anymore. Now, on each server with one or more SMS PASSCODE® authentication

clients installed, you can just specify a prioritized list of Transmitter services to use.

In this case, each authentication client will automatically switch to another

Transmitter service in case the currently used Transmitter service becomes

unavailable. If simple failover is your only concern then the above configuration can

be used.

o Failover with Load Balancing service(s): If your concern is both failover and

scalability (expecting heavy loads), or if you need to make use of Load Balancing

Policies, the installation and use of Load Balancing services is required. In this

case, each Load Balancing service will continuously monitor all Transmitter services

and ensure an intelligent load balancing of all incoming SMS requests between all

available Transmitter services and GSM Modems.

The load balancing algorithm is customizable using Load Balancing Policies.

Using these policies it is possible to define in more detail how incoming requests

should be distributed. Please refer to section 12.1.8 (page 122) for more information

regarding this.

Failover on the GSM modem level:

Up to 32 GSM Modems may be connected to each Transmitter service in a modem pool.

Each Transmitter service automatically performs intelligent load balancing between all

available modems in its modem pool. In case a modem becomes unavailable, then the

Transmitter directs incoming requests to other GSM Modems in the modem pool. By using

SIM cards of different GSM service providers, you can even achieve failover on the carrier

level.

Failover on the authentication client level:

Each SMS PASSCODE® Authentication client can be configured to redirect its requests to

either a list of several Transmitter services or a list of several Load Balancing services. In

both cases, if any of the listed services becomes unavailable, then requests are

automatically redirected to the services being available. Please notice that the list of

services can be changed on-the-fly during operation without any downtime.



For optimal failover your SMS PASSCODE® installation should include:

At least two Load Balancing services.

At least two Transmitter services.

At least two GSM Modems connected to each Transmitter service (i.e. at least 4 GSM

modems in total).

Each SMS PASSCODE® Authentication client should redirect requests to at least two Load

Balancing services.

The following diagram illustrates an example of a minimum setup for optimal failover. Please note

that the 4 servers running Load Balancing Service and Transmitter Service could be

consolidated on two servers, since a Load Balancing service and a Transmitter service may run on

the same server.

AD Sync.

(optional)



SMS PASSCODE® Web Administration


Citrix Web Interface Server 1

SMS PASSCODE® Citrix Web

Interface Protection

SMS Gateway Server 2

SMS PASSCODE®

Transmitter Service

GSM Modems

Load Balancing Server 1

SMS PASSCODE®


Load Balancing Server 2

SMS PASSCODE®


SMS Gateway Server 1

SMS PASSCODE®

Transmitter Service

GSM Modems

TCP 8988 TCP 8988 TCP 8989 TCP 8989

TCP 9090

Citrix Web Interface Server 2

SMS PASSCODE® Citrix Web

Interface Protection

TCP 8988 TCP 8988



8.6 Multi Server Installation – Total Distribution

In this section, the last Multi Server Installation example is shown. This example illustrates how it is

possible to completely distribute all components on separate servers. The first diagram shows a

complete distribution without making use of the Load Balancing Service:

AD Sync.

(optional)




Citrix W

eb Interface Server

SM

S P

ASSCODE ®

Citrix W

eb Interface Protection

Terminal S

erver /

Rem

ote Desktop S

erver

SM

S P

ASSCODE ®

Window

s Logon Protection

Firewall

LAN DMZ

Web Server (IIS)


RADIUS Server

MS IAS or NPS


RADIUS client

SMS Gateway Servers


GSM Modems

TCP 8989

TC

P 8

98

9TCP 8

989

TC

P 9

09

0

TCP 9091

Citrix A

dvanced Access C

ontrol Server

SM

S P

ASSCODE ®

CAGAE P

rotection

Web S

erver (IIS) – e.g. O

WA S

erver

SM

S P

ASSCODE ®

IIS W

eb Site P

rotection

Web Server (IIS) – e.g. OWA Server

Security G

ateway

MS IS

A/TM

G S

erver

SM

S P

ASSCODE ®

ISA/TM

G W

eb Site P

rotection



The second diagram below shows a complete distribution, including the Load Balancing Service:

AD Sync.

(optional)




Firewall

LAN DMZ

Web Server (IIS)

SMS PASSCODE®


RADIUS Server

MS IAS or NPS


RADIUS client

SMS Gateway Servers


GSM Modems

TCP 8988

TC

P 8

98

8TCP 8988

TC

P 9

09

0

TCP 9091

Load Balancing Servers

SMS PASSCODE®


TC

P 8

98

9

TCP 8989

Citrix W

eb Interface Server

SM

S P

ASSCODE ®

Citrix W

eb Interface Protection

Terminal S

erver /

Rem

ote Desktop S

erver

SM

S P

ASSCODE ®

Window

s Logon Protection

Citrix A

dvanced Access C

ontrol Server

SM

S P

ASSCODE ®

CAGAE P

rotection

Web S

erver (IIS) – e.g. O

WA S

erver

SM

S P

ASSCODE ®

IIS W

eb Site P

rotection

Web Server (IIS) – e.g. OWA Server

Security G

ateway

MS IS

A/TM

G S

erver

SM

S P

ASSCODE ®

ISA/TM

G W

eb Site P

rotection



9 PRE-INSTALLATION ACTIONS

This section describes the actions to perform BEFORE running the SMS PASSCODE® installation

program. Please read this section carefully.

9.1 Check SIM Cards

Before running an SMS PASSCODE® installation, please ensure that all SIM cards are working

correctly.

Important: It is strongly recommended to check each SIM card according to the instructions below

BEFORE the SMS PASSCODE® installation is started. It is our experience that more than 90% of

all installation problems are related to SIM card problems.

The procedure for checking a SIM card is described below. It is recommended to perform the

check at the location where the GSM modem, for which the SIM card is intended, is located.

For each SIM card perform the following actions:

1. Insert the SIM card into a cell phone.

2. Enter PIN code if the SIM card requires this.

3. Wait until the cell phone has been registered on the mobile network.

4. Enter a new SMS and send it to another cell phone. Check that the transmission succeeds

and that the SMS is received correctly on the other cell phone.

If the above check is not successful, it is usually caused by one of the following:

The SIM card is not active or has been closed: Contact your cell phone operator and

request activation of the SIM card.

There is no GSM coverage at the location in question: You have the following

possibilities in this case:

o Move the server together with the GSM modem(s) to another location

o Lengthen the antenna of the modem (e.g. to the roof of the building)

o Move the GSM modem(s) to another location by installing the Transmitter Service

on another server at a different location

o Move the GSM modem(s) to another location by connecting them to a serial port

server (e.g. Moxa NPort or Moxa OnCell) connected to the network

For further information regarding external modem antennas or serial port servers please contact

your SMS PASSCODE® reseller or [email protected].




9.2 Check System Requirements

Before running an SMS PASSCODE® installation, please make sure that all system requirements

are fulfilled for the components that you are planning to install. System requirements are listed in

section 6 (page 18).

Please remember:


If you are planning to install the Citrix Web Interface Protection component, then a

supported version of Citrix Web Interface must be installed on the Citrix Web Interface

server beforehand and at least one Citrix Web Interface must have been published.

RADIUS Protection

o If you are planning to install the RADIUS Protection component on a Windows

Server 2003, then the Internet Authentication Service (IAS) must be installed on this

server beforehand. Installation of IAS is described in section 9.2.1.

o If you are planning to install the RADIUS Protection component on a Windows

Server 2008 (R2), then the Network Policy Server (NPS) role must be added to this

server beforehand. Installation of NPS is described in section 9.2.2.

ISA/TMG Web Site Protection

If you are planning to install the ISA/TMG Web Site Protection component on a server,

then a Microsoft ISA Server 2006 or Microsoft TMG 2010 must be installed on this server

beforehand.

IIS Web Site Protection

If you are planning to install the IIS Web Site Protection component on a Windows Server

2003, then the Internet Information Server (IIS) must be installed on this server beforehand

(on Windows Server 2008 (R2) IIS will be installed automatically when missing)


If you are planning to install the Citrix Access Gateway Advanced Edition Protection

component on a server, then the Citrix Advanced Access Control software for Citrix Access

Gateway Advanced Edition, version 4.5, must be installed on this server beforehand.

Microsoft Terminal Services / Remote Desktop Services Protection

If you are planning to protect Microsoft Remote Desktop Services, formerly called Microsoft

Terminal Services, on Windows Server 2008 (R2), please refer to section 9.2.3 (page 44)

before starting the SMS PASSCODE® installation.

Microsoft SharePoint Portal Server Protection

If you are planning to protect Microsoft SharePoint Portal Server, please refer to section

9.2.5 (page 54) before starting the SMS PASSCODE® installation.



9.2.1 Installation of IAS

This section describes how to install the Microsoft Internet Authentication Service (IAS) on a

Windows Server 2003. You have to install IAS on a Windows Server 2003 only if you are planning

to install the SMS PASSCODE® RADIUS Protection component on this server. To install IAS,

please follow the instructions below:

1. Click on Add/Remove Programs in the Control Panel:



2. Click on Add/Remove Windows Components:

3. A list of Windows Components appears. Scroll down to Networking Services.

a. Mark Networking Services.

b. Click the Details button



4. A list of Networking Services appears.

a. Check Internet Authentication Service.

b. Click the OK button.

5. Click the OK button.

6. Click the Next button.

7. Click the Finish button. IAS has now been installed.

9.2.2 Installation of NPS

This section describes how to install the Microsoft Network Policy Server (NPS) role on a Windows

Server 2008 (R2). You have to install NPS on a Windows Server 2008 (R2) only if you are planning

to install the SMS PASSCODE® RADIUS Protection component on this server.

To install NPS, please run the following command in a command prompt:

ServerManagerCmd -i NPAS-Policy-Server



9.2.3 Protection of TS/RD Web Access on Windows Server 2008 (R2)

In this section the term Remote Desktop Services (RDS) will be used to refer to both the former

term Terminal Services and the new term Remote Desktop Services.

Starting from SMS PASSCODE® version 4.0, the SMS PASSCODE® Windows Logon

Protection component also supports Windows Server 2008. This means that you now

have three different options for protecting RDP access to RDS session hosts. You can

either use SMS PASSCODE® Windows Logon Protection to protect the Windows

Logon on the RDS session hosts directly, or you can use SMS PASSCODE® IIS Web Site

Protection or ISA/TMG Web Site Protection to protect an RD Web Access site being used for

accessing the RD applications.

The latter two cases, i.e. protecting the RD Web Access site, are recommended if you are planning

to provide access to your RD applications using an RD Web Access site. This section describes

the steps necessary to achieve this.

Please note that it is mandatory to access the RD session host servers through an RD Gateway

when protecting access to RDS using an RD Web Access site.



The following two diagrams illustrate the required infrastructure setup, respectively, for performing

SMS PASSCODE® authentication on an ISA/TMG server or an RD Web Access server:

SMS PASSCODE® protected RD Web Access site with

two-factor authentication performed on the ISA/TMG Server

External NetworkInternal Network

Microsoft ISA Server 2006

or

Microsoft TMG 2010

SMS PASSCODE® ISA/TMG

Web Site Protection

Web Server

MS Internet Information Server (IIS)

RD Web Access + RD Gateway

RADIUS Server

MS NPS

MS RDS Session

Host Servers



SMS PASSCODE® protected RD Web Access site with

two-factor authentication performed on the Web Server

External NetworkInternal Network

Web Server

MS Internet Information Server (IIS)

RD Web Access + RD Gateway

SMS PASSCODE® IIS

Web Site Protection

RADIUS Server

MS NPS

MS RDS Session

Host Servers

Firewall

(E.g. Cisco,

CheckPoint,

ISA/TMG)



Please notice:

If the RD Web Access site has been published through an ISA/TMG Server using a Web

Listener with form-based authentication enabled:

o The SMS PASSCODE® ISA/TMG Web Site Protection component must be

installed on the ISA/TMG Server. You may install any other SMS PASSCODE®

components on the ISA/TMG server as well, but this is not recommended.

o It is mandatory, that the RD Web Access site and the RD Gateway site are

published using the same Web Listener.

o The RD Web Access site and RD Gateway site do not need to be hosted on the

same IIS.

o Single sign-on in the RD Web Access site is not supported (this is a general

restriction when the RD Web Access site is configured to use Basic or Integrated

Windows Authentication).

o Please read section 9.2.3.1 (below) for detailed instructions regarding this setup.

If the RD Web Access site has been published through any firewall (using NAT on port 443)

with authentication being performed on the Web Server:

o The SMS PASSCODE® IIS Web Site Protection component must be installed on

the Web Server (i.e. the RD Web Access server). You may install any other SMS

PASSCODE® components on the Web Server as well. E.g. if no other kind of SMS

PASSCODE® protection is required, then you can perform an SMS PASSCODE®

Single Server Installation on the Web Server.

o It is mandatory, that the RD Web Access site and RD Gateway site are hosted in

the same site on the same IIS.

o Single sign-on in the RD Web Access site is supported.

o Please read section 9.2.3.2 (page 52) for detailed instructions regarding this setup.

Always:

o The SMS PASSCODE® RADIUS protection component must NOT be installed on

the RADIUS server.

o The Web Server and RADIUS server could be consolidated to a single server

(installing both NPS and IIS 7.0/7.5 on the same server).

IMPORTANT: The SMS PASSCODE® RD Web Access protection will ensure that all users

MUST authenticate using the RD Web Access site before any remote applications can be

accessed through the RD Gateway. In other words, any attempt to access remote applications

through the RD Gateway, without any prior authentication in the RD Web Access site, will fail.



9.2.3.1 Protecting RD Web Access with 2FA on the ISA/TMG server

This section describes how to protect your RD Web Access site by performing SMS PASSCODE®

authentication directly on an ISA/TMG Server before the authenticated user is forwarded to the RD

Web Access server:

1. Set up the Web Server if this has not been done yet. I.e. install IIS 7.0/7.5, RD Web Access

site and RD Gateway site on the Web Server (it is also supported to install the RD Gateway

and RD Web Access site on two different web servers, if required).

2. Install and configure the ISA/TMG server as described in this article:

http://technet.microsoft.com/en-us/library/cc731249(WS.10).aspx.

In the section To create a Web listener on the ISA Server follow the instructions as

specified, except step 8b where you must select one of the first 3 options instead of

RADIUS OTP:

In the section To publish a Web site on the ISA Server by using the Web Listener

follow the instructions as specified, except step 3 where you should name the rule “TS

Gateway” or “RD Gateway”.

3. Test and verify that remote access from the external network to the MS Remote Desktop

Server(s) through the RD Web Access site works as expected (using only AD credentials

for authentication). If this test succeeds, you are now ready to add SMS PASSCODE®

protection as described in the steps below.

http://technet.microsoft.com/en-us/library/cc731249(WS.10).aspx



4. On each RD Session Host server perform the following actions: In the Server Manager

right-click the RemoteApp Manager and select RD Gateway Settings.

a. Select the Custom RDP Settings tab.



b. Enter the following two lines into the Custom RDP settings textbox:

pre-authentication server address:s:https://fqdn/rdroot

require pre-authentication:i:1

…where fqdn must be replaced with the fully qualified domain name of the SSL

certificate used for publishing the RD Web Access site, and rdroot must be

replaced with the RD Web Access URL (“TS” and “RDWeb” by default on Windows

Server 2008 and Windows Server 2008 R2, respectively).

5. On the ISA/TMG server perform the following additional configuration steps:

a. Copy the Web Site Publishing Rule “TS Gateway” / ”RD Gateway” that you have

created earlier (right-click and select Copy; then right-click and select Paste). The

new copy will be called the “RD Web Access” rule below.

b. Edit the Web Site Publishing Rule “TS Gateway” / “RD Gateway” (right-click and

select Properties) and make the following changes:

i. On the Paths tab remove any existing paths and add the path “/rpc/*”.

ii. Click OK

c. Edit the “RD Web Access” rule created in step 6a (right-click and select

Properties). Enter the name “TS Web Access” or “RD Web Access” on the General

tab and make the following changes:



i. Select NTLM

authentication on the

Authentication

Delegation tab:

ii. On the Paths tab

remove any existing

paths and add the

path “/ts/*” or

“/rdweb/*” on

Windows Server

2008 or Windows

Server 2008 R2,

respectively:

iii. Click OK.



6. Now, install SMS PASSCODE® ISA/TMG Web Site Protection on the ISA/TMG Server.

7. Enable SMS PASSCODE® authentication on the Web Listener used on the Web publishing

rule RD Web Access. Please read section 0 (page 198) for instructions on how SMS

PASSCODE® authentication is enabled on a Web Listener.

8. Test that SMS PASSCODE® authentication works as expected.

Please notice that users will have to re-enter the AD credentials when starting a Remote

Desktop application. This is expected behavior because single sign-on is not supported by

the RD Web Access site in general when it is published through an ISA/TMG server using a

Web Listener.

9.2.3.2 Protecting RD Web Access directly on the IIS

This section describes how to protect your RD Web Access site by performing SMS PASSCODE®

authentication directly on the Web Server, i.e. the IIS hosting the RD Web Access site.

1. Set up the Web Server if this has not been done yet. I.e. install IIS 7.0/7.5, RD Web Access

site and RD Gateway site on the Web Server. Do NOT install SMS PASSCODE® IIS Web

Site Protection on the Web Server yet.

2. Test and verify that remote access (from the external network) to the MS Remote Desktop

Server(s) through the RD Web Access site works as expected (using only AD credentials

for authentication). If you are planning to use single sign-on (SSO), please also test and

verify that this works as expected. If these tests succeed, you are ready to add SMS

PASSCODE® protection as described in the steps below.



3. Perform the following actions on each RD host session server: In the Server Manager right-

click the RemoteApp Manager and select RD Gateway Settings.

a. Select the Custom RDP Settings tab.



b. Enter the following two lines into the Custom RDP settings textbox:

pre-authentication server address:s:https://fqdn/rdroot

require pre-authentication:i:1

…where fqdn must be replaced with the fully qualified domain name of the SSL

certificate used for publishing the RD Web Access site, and rdroot must be

replaced with the RD Web Access URL (“TS” and “RDWeb” by default on Windows

Server 2008 and Windows Server 2008 R2, respectively).

4. Now, install SMS PASSCODE® IIS Web Site Protection on the Web Server. During the

installation, enable SMS PASSCODE® protection of the RD Web Access site:

5. Test that SMS PASSCODE® authentication works as expected.

9.2.4 Protecting VMware View 4.0

SMS PASSCODE® 4.0 supports protection of VMware View 4.0 virtual clients. To achieve this,

please proceed as follows:

Install SMS PASSCODE® Windows Logon Protection on all virtual clients.

If the virtual clients have Windows XP installed, please note that the single sign-on

component of the VMware agent must not be installed, since it will conflict with the SMS

PASSCODE® Windows Logon Protection component. There is no such restriction when

the virtual clients have Windows Vista or Windows 7 installed.

Configure VMware View users to access the virtual clients using RDP when SMS

PASSCODE® authentication is required, and using PCoIP when SMS PASSCODE®

authentication is not required. A recommended setup is to use RDP for remote access and

PCoIP for access on the internal LAN.

You can run the SMS PASSCODE® Configuration Tool with the new command line arguments to

distribute any necessary SMS PASSCODE® settings to all VMware View clients (please read

section 0, page 229, for more details).

9.2.5 Protection of SharePoint Portal Server

SMS PASSCODE® can efficiently protect SharePoint Portal Server (version 2003 and newer) and

other application web sites.

The general requirement for successful SMS PASSCODE® protection is that the web application

must only request a user authentication on the initial user log on, or alternatively, a security

gateway that ensures this behavior must be used.



SharePoint Portal server is an example of a web application that might request user authentication

multiple times during a session, e.g. when a user is editing a Word document. Therefore, to make

SMS PASSCODE® protection of a SharePoint Portal server work it is mandatory to publish it

through a security gateway that will prevent the additional user authentications during a session.

Examples of scenarios for successful SMS PASSCODE® protection of a SharePoint Portal server:

Publish the SharePoint Portal server through a Microsoft Intelligent Application Gateway

(IAG), a Microsoft Unified Application Gateway (UAG), a Citrix Access Gateway Enterprise

Edition or a Juniper SA. Configure the gateway to use RADIUS authentication from a

RADIUS server with SMS PASSCODE® RADIUS Protection installed. The advantage of

this setup is that the listed security gateways have built-in features for cleaning up the client

machines, e.g. removing any documents downloaded from the SharePoint Portal.

Publish the SharePoint Portal server through a Microsoft ISA/TMG server using a Web

Listener with persistent cookies and enable SMS PASSCODE® authentication on the Web

Listener by installing SMS PASSCODE® ISA/TMG Web Site Protection on the ISA/TMG

server. The disadvantage of this setup is that the ISA/TMG server will not perform any

clean up on the client machines. I.e. any downloaded documents might remain on the client

machine afterwards.

Recommendation

Prior to installing SMS PASSCODE® protection, please always test and verify that the published

SharePoint Portal site works as required, i.e. that authentication occurs only once during the initial

logon.

The following section shows an example on how to publish a SharePoint Portal server using a

Microsoft IAG.



9.2.5.1 Example: Protecting a SharePoint Portal server using IAG

This section describes the necessary actions to apply SMS PASSCODE® protection to a

SharePoint Portal server published through a MS IAG.

1. Prepare an SMS PASSCODE® RADIUS server by installing the SMS PASSCODE®

RADIUS protection component on a Windows server with IAS/NPS installed.

2. Add an Authentication Server in the IAG that uses the SMS PASSCODE® RADIUS server

for authentication:

o In the Advanced Trunk Configuration dialog, click Add… to create a new

authentication server:



o Select Type = RADIUS and configure the RADIUS settings to use the SMS

PASSCODE® RADIUS server. Remember to check the Support Challenge

Response checkbox:



3. Configure each application within IAG that must be protected by SMS PASSCODE®

authentication, to use the credentials provided by the SMS PASSCODE® authentication

server. This is done by selecting the SMS PASSCODE® authentication server on the Web

Settings tab while editing the application:

Please contact [email protected] if you need further information regarding SharePoint

Portal server protection.




10 UPGRADE

You can upgrade the following versions of SMS PASSCODE® directly to version 4.0:

SMS PASSCODE® 3.0

SMS PASSCODE® 3.0.1

SMS PASSCODE® 3.1

To perform the upgrade you just have to run the SMS PASSCODE® 4.0 installation like a “First-

time installation” (cf. section 11). Do not uninstall any earlier version of SMS PASSCODE® before

installing version 4.0. The installation package will automatically upgrade the previous version and

convert the database to the new file format.

IMPORTANT: If you are using CAGAE protection, please remember to repeat the actions for

protecting each logon point after the upgrade (cf. section 12.8.1, page 218).

11 FIRST-TIME INSTALLATION

To install SMS PASSCODE® you have to complete 3 steps:

1. Install hardware, i.e. GSM modem(s) (section 11.1, page 59).

2. Install software (section 11.2, page 60).

3. Configure SMS PASSCODE® (section 12, page 98).

These 3 steps are described in the specified sections.

11.1 Installation of Hardware

Before installing the SMS PASSCODE® software, please connect all GSM modems. Prior to a

Single Server Installation you should connect all modems to the server that SMS PASSCODE® is

going to be installed on. Prior to a Multi Server Installation you should connect each modem to a

server on which a Transmitter Service is going to be installed. In a typical scenario, you will

distribute the modems evenly, i.e. connect the same number of modems to each server running

the Transmitter Service.

Please follow the instructions below when connecting each GSM modem:

WARNING: Please follow the instructions below in strict order to avoid damage of the hardware.

Please note, that the power cord is not connected until step 7.

1. Release the SIM card sledge of the GSM modem by sticking a peaked object into the small

hole beside the sledge.

2. Insert a SIM card into the sledge.

3. Carefully push the sledge back into the GSM modem again. DO NOT USE FORCE.

4. Screw the antenna (included) onto the GSM modem.

5. Connect the GSM modem to a serial port using the serial cable (included).

6. Connect the GSM modem to the power supply (included).

7. Put the plug of the power supply in the socket.

8. Check that a green LED is flashing on the modem.

You are now ready to install the SMS PASSCODE® software.



11.2 Installation of the SMS PASSCODE® Software

When all GSM modems have been connected following the instructions above then you are ready

to install the SMS PASSCODE® software. Before running the installation, you should decide

whether to perform a Single Server Installation or a Multi Server Installation. Please read section 8

(page 27) if you are in doubt.

The subsections below describe how to perform a Single Server Installation (section 11.2.1, page

60) or a Multi Server Installation (section 11.2.2, page 75). Please note that the choice of

installation type is not permanent. If you start with a Single Server Installation, you can easily

change it to a Multi Server scenario later on – and vice versa.

IMPORTANT: You must have administrator rights to install any SMS PASSCODE® components.

11.2.1 Single Server Installation

This section describes how to perform a Single Server Installation of SMS PASSCODE®. During a

Single Server Installation all components are installed on the same server. The components

Database Service, Web Administration Interface and Transmitter Service are always installed.

This means, that the target server must fulfill the system requirements for all 3 components (cf.

section 5, page 14). In addition, you can optionally install the components Citrix Web Interface

Protection, RADIUS Protection, ISA/TMG Web Site Protection, IIS Web Site Protection,

Windows Logon Protection and/or CAGAE Protection, as long as the system requirements for

these components are fulfilled.

SMS PASSCODE® is installed using one of the installation programs SmsPasscode-400-x86.exe

(32-bit) or SmsPasscode-400-x64.exe (64-bit). Please follow the instructions below:

1. Log on to the server using a user account with local administrator permissions.

2. Copy SmsPasscode-400-x86.exe or SmsPasscode-400-x64.exe to a local path on the

server.

3. Start the installation by double-clicking the setup file:

or

(32-bit) (64-bit)



4. If the Microsoft .NET 3.5 SP1 Framework is not installed, then it will be downloaded and

installed automatically before the main SMS PASSCODE® installation begins.

5. A Welcome dialog appears. Click the Next button.

(During an upgrade from an earlier version of SMS PASSCODE

® a

notice that an upgrade is about to occur will appear in this window)



6. An End-User License Agreement (EULA) appears. Please read the agreement carefully. If

you accept the EULA:

a. Click on I accept the terms in the license agreement.

b. Click the Next button.



7. A dialog for selecting the type of installation appears:

a. Leave the selection on Single Server Installation.




8. A dialog for entering license information appears.

a. Enter name of “Licensed to” from the license e-mail.

Important: Please enter the company name exactly as it is written in the license

e-mail. Use copy & paste.

b. Enter the license code from the license e-mail. Use copy & paste.

c. Click the Next button.



9. A dialog for selecting the installation folder appears.

a. It is recommended to use the proposed default installation folder. In case you want

to change the path anyhow: Click the Change button and select a new path.




10. A dialog for specifying the default prefix appears.

a. Specify the default prefix for mobile phone numbers. All mobile phone numbers

without an explicit prefix will have this prefix automatically added.




11. A dialog for configuring the first10 GSM modem appears.

a. Select a serial port to which a GSM modem is connected.

b. Enter the PIN code of the SIM card in the GSM modem. If the SIM card does not

require a PIN code, then leave the field empty.


10

It is possible to configure only the first GSM modem during installation. If you have connected more modems, then you have to configure these modems using the Web Administration Interface after the installation has completed.



12. A dialog for setting up the Web Administration Interface appears.

a. It is recommended to use the proposed default path for the Web Administration

Interface installation folder. If you want to change the path anyhow:

Click the Change button and select a new path.

b. It is recommended to use the proposed default TCP port for the Web

Administration Interface site. If you want to change the TCP port anyhow, e.g.

because of a port conflict with another application or another web site, then enter a

different TCP port.




13. A dialog for selecting Authentication Clients appears.

a. Select the optional components that you would like to install on this server. Please

read section 5, page 14, for more details on each component. You may also click

the question mark buttons in the dialog window to get more information.

Please note: The selection of Authentication Clients is NOT permanent. In case you

would like to add or remove Authentication Clients, you can always run the

installation again afterwards (cf. section 0).

PLEASE NOTE: If a component is disabled for selection, this is caused by system

requirements not being fulfilled for this component (cf. section 6, page 18).




14. If the Citrix Web Interface Protection component was selected, and if more than one

Citrix Web Interface has been published on the server, then a dialog appears for selecting

the Citrix Web Interface that you would like to protect using SMS PASSCODE®. If this

dialog does not appear, then just skip to the next step.

a. Please select the physical path for the Citrix Web Interface11 that should be

protected by SMS PASSCODE® authentication.


11

The installation program currently supports only activation of SMS PASSCODE® protection for a single

Citrix Web Interface. If you need to protect several Citrix Web Interfaces on the same server, then this is also possible. Please contact [email protected] for instructions regarding this.




15. If the Citrix Web Interface Protection component was selected, then a dialog for selecting

the scenario that you would like to use for the protection of the Citrix Web Interface with

SMS PASSCODE® appears. If this dialog does not appear, then just skip to the next step.

a. Select one of the following three scenarios:

i. Disabled: Select this option to disable SMS PASSCODE® authentication for

now and enable it manually afterwards (as described in section 12.3).

ii. Standalone or Side-by-Side logon: Select this option (recommended) to

activate standard SMS PASSCODE® authentication. If no other kind of two-

factor authentication system is activated, then all users must now

authenticate using SMS PASSCODE® to log on to the Citrix Web Interface –

this is called Standalone logon. If another kind of two-factor authentication

system is activated (e.g. RSA SecurID® or SafeWord®), then the users can

either authenticate using SMS PASSCODE® or the other authentication

system – this is called Side-by-Side logon.

iii. Dual logon: Select this option if you need extra high security. If no other

kind of two-factor authentication system is activated, then this option is

identical with option (ii). I.e. all users are authenticated using SMS

PASSCODE® to log on to the Citrix Web Interface – this is called Standalone

logon. But if another two-factor authentication system is activated (e.g. RSA

SecurID® or SafeWord®), then all users must now authenticate both using

SMS PASSCODE® and the other authentication system to log on – this is

called Dual logon.




16. If the IIS Web Site Protection component was selected and Microsoft Outlook Web

Access (OWA) is installed on the server, then a dialog for configuring SMS PASSCODE®

protection of the OWA site appears. If this dialog does not appear, then just skip to the next

step.

a. Check this option if the OWA site on the server should be protected using SMS

PASSCODE® authentication.

b. Check this option to allow ActiveSync clients to synchronize using the OWA site on

this server. In this case, SMS PASSCODE® authentication will be disabled for

ActiveSync requests. Please maintain security by protecting the ActiveSync clients

by other means.

c. Check this option to allow RPC over HTTP/HTTPS connections using the OWA site

on this server. In this case, SMS PASSCODE® authentication will be disabled for

RPC over HTTP/HTTPS requests. Please maintain security by protecting these

clients by other means.

d. Click the Next button.



17. If the IIS Web Site Protection component was selected and the Microsoft Remote Desktop

Web Access site and the Microsoft Remote Desktop Gateway site both are installed on the

server, then a dialog for configuring SMS PASSCODE® protection of the RD Web Access

site appears. If this dialog does not appear, then just skip to the next step.

a. Check this option if the RD Web Access site on the server should be protected

using SMS PASSCODE® authentication.




18. You are now ready to perform the installation according to the choices you have made.

Click the Install button.

19. A dialog showing the progress of the installation appears …



20. When the installation has completed, the following dialog appears. Click the Finish button.

21. You have now completed the SMS PASSCODE® Single Server Installation. Please read

section 12 (page 98) regarding configuration of SMS PASSCODE®.

11.2.2 Multi Server Installation

This section describes how to perform a Multi Server Installation of SMS PASSCODE®.

As explained in section 5 (page 14), SMS PASSCODE® is composed of several software

components. You can install each component by itself or together with other SMS PASSCODE®

components on a machine. In a Multi Server Installation you have complete control of how to

distribute the components on several machines. However, a valid Multi Server Installation must

fulfill the following requirements:

A single Database Service must be installed on a server.

At least one Web Administration interface must be installed – preferably on the same

server as the Database Service.

At least one Transmitter Service must be installed on a server.

At least one GSM modem must be connected to a Transmitter Service.

It is optional to install the Load Balancing Service during a Multi Server Installation (cf. section

8.5, page 35).



The procedure for a Multi Server Installation is to run the installation package on each involved

machine and select the components to be installed on this machine. The recommended order of

actions is:

1. First install the Database Service component on a server (the database server). If other

SMS PASSCODE® components are planned to be installed on the same server, then also

include these components during this installation. It is recommended to include the Web

Administration interface component.

2. Configure SMS PASSCODE® using the Web Administration Interface (cf. section 12.1).

You should already at this time create all planned load balancing servers, transmitter

servers and GSM modems in the database.

3. Now install the Transmitter Service component on all those servers where this component

is planned for installation. If other SMS PASSCODE® components are planned to be

installed on some of these servers, then also include these components during installation.

Please note: In case you have already installed the Transmitter Service component on a

server during step 1, do not run the installation again on this server.

4. If you plan to use the Load Balancing Service, you should now install the Load

Balancing Service component on all those servers where this component is planned for

installation. If other SMS PASSCODE® components are planned to be installed on some of

these servers, then also include these components during installation.

Please note: In case you have already installed the Load Balancing Service on some

servers during step 1 or 3, do not run the installation again on these servers.

5. Finally install SMS PASSCODE® Authentication clients on the machines where these are

planned for installation.

Please note: In case you have already installed some of these components during step 1, 3

or 4, do not run the installation again on these machines.

The actions for installation on a machine are listed below. Please repeat these actions on each

machine being part of the Multi Server Installation.

IMPORTANT: The sequence of dialogs is automatically tailored during a Multi Server Installation

according to the components selected for installation. The work flow below describes all potential

dialogs that may appear during a Multi Server Installation. You may not see all dialogs during your

specific installation – skip forward in the work flow in case a dialog is not shown.

1. Log on to the machine using a user account with local administrator permissions.

2. Copy SmsPasscode-400-x86.exe (32-bit) or SmsPasscode-400-x64.exe (64-bit) to a

local path on the machine.

3. Start the installation by double-clicking the setup file:

or

(32-bit) (64-bit)



4. If the Microsoft .NET 3.5 SP1 Framework is not installed yet, then it will be downloaded

and installed automatically before the main SMS PASSCODE® installation begins.

5. A Welcome dialog appears. Click the Next button.

(During an upgrade from an earlier version of SMS PASSCODE

® a

notice that an upgrade is about to occur will appear in this window)



6. An End-User License Agreement (EULA) appears. Please read the agreement carefully. If

you accept the EULA:

a. Click on I accept the terms in the license agreement.




7. A dialog for selecting the type of installation appears:

a. Select Multi Server Installation




8. A dialog for component selection appears. This is where you decide which components

are to be installed on the current machine.

a. Make your component selections.

Please note: The selections you make are not permanent. You can always run the

installation again afterwards and change your selections (cf. section 0).

If you are planning to install SMS PASSCODE® Authentication clients only, on the

current machine, then please deselect all core components, i.e. your selection

should look like this:




9. If a dialog for entering license information appears:

a. Enter name of “Licensed to” from the license e-mail.

Important: Please enter the company name exactly as it is written in the license

e-mail. Use copy & paste.

b. Enter the license code from the license e-mail. Use copy & paste.




10. If a dialog for selecting the installation folder appears:

a. It is recommended to use the proposed default installation folder. In case you want

to change the path anyhow: Click the Change button and select a new path.




11. If a dialog for specifying the default prefix appears.

a. Specify the default prefix for mobile phone numbers. All mobile phone numbers

without an explicit prefix will have this prefix automatically added.




12. If a dialog for configuring the first 12 GSM modem appears:

a. Select a serial port to which a GSM modem is connected.

b. Enter the PIN code of the SIM card in the GSM modem. Just leave the field empty if

the SIM card does not require a PIN code.


12

It is possible to configure only the first GSM modem during installation. If you have connected more modems, then you have to configure these modems using the Web Administration Interface after the installation has completed.



13. If a dialog for setting up the Web Administration Interface appears:

a. It is recommended to use the proposed default path for the Web Administration

Interface installation folder. If you want to change the path anyhow:

Click the Change button and select a new path.

b. It is recommended to use the proposed default TCP port for the Web

Administration Interface site. If you want to change the TCP port anyhow, e.g.

because of a port conflict with another application or another web site, then enter a

different TCP port.




14. A dialog for selecting Authentication Clients appears.

a. Select the optional components that you would like to install on this machine.

Please read section 5 (page 14) for more details on each component. Just leave all

components unchecked if none of them are to be installed on the current machine.

You may also click the question mark buttons in the dialog window to get more

information.

Please note: The selection of Authentication Clients is NOT permanent. In case you

would like to add or remove Authentication Clients you can always run the

installation again afterwards (cf. section 0)

PLEASE NOTE: If a component is disabled for selection, this is caused by system

requirements not being fulfilled for this component (cf. section 6, page 18)




15. If a dialog for selecting the Citrix Web Interface to protect using SMS PASSCODE®

appears:

a. Please select the physical path for the Citrix Web Interface13 to be protected by

SMS PASSCODE® authentication.


13

Currently the installation program only supports activation of SMS PASSCODE® protection only for a

single Citrix Web Interface. If you need to protect several Citrix Web Interfaces on the same server, then this is also possible. Please contact [email protected] for instructions on how to do this.




16. If a dialog for selecting the scenario you would like to use for the protection of the Citrix

Web Interface with SMS PASSCODE® appears:

a. Select one of the following three scenarios:

i. Disabled: Select this option to disable SMS PASSCODE® authentication for

now and enable it manually afterwards (as described in section 12.3).

ii. Standalone or Side-by-Side logon: Select this option (recommended) to

activate standard SMS PASSCODE® authentication. If no other kind of two-

factor authentication system is activated, then all users must now

authenticate using SMS PASSCODE® to log on to the Citrix Web Interface –

this is called Standalone logon. If another kind of two-factor authentication

system is activated (e.g. RSA SecurID® or SafeWord®), then the users can

either authenticate using SMS PASSCODE® or the other authentication

system – this is called Side-by-Side logon.

iii. Dual logon: Select this option if you need extra high security. If no other

kind of two-factor authentication system is activated, then this option is

identical with option (ii). I.e. all users are authenticated using SMS

PASSCODE® to log on to the Citrix Web Interface – this is called Standalone

logon. But if another two-factor authentication system is activated (e.g. RSA

SecurID® or SafeWord®), then all users must now authenticate both using

SMS PASSCODE® and the other authentication system to log on – this is

called Dual logon.




17. If a dialog for configuring SMS PASSCODE® protection of an OWA site appears:

a. Check this option if the OWA site on the server should be protected using SMS


b. Check this option to allow ActiveSync clients to synchronize using the OWA site on

this server. In this case, SMS PASSCODE® authentication will be disabled for

ActiveSync requests. Please maintain security by protecting the ActiveSync clients

by other means.

c. Check this option to allow RPC over HTTP/HTTPS connections using the OWA site

on this server. In this case, SMS PASSCODE® authentication will be disabled for

RPC over HTTP/HTTPS requests. Please maintain security by protecting these

clients by other means.

d. Click the Next button.



18. If a dialog for configuring SMS PASSCODE® protection of an RD Web Access site appears:

a. Check this option if the RD Web Access site on the server should be protected

using SMS PASSCODE® authentication.


19. You are now ready to perform the installation according to the choices you have made.

Click the Install button.



20. A dialog appears showing the progress of the installation...

21. At some stage during the installation the SMS PASSCODE® Configuration Tool is

automatically started:

This tool is used, among others, for configuring the SMS PASSCODE® infrastructure, i.e.

you use this tool to specify where the different SMS PASSCODE® components are located

and how they should communicate with each other. You may not see all the tabs shown in



the picture above because the user interface of the SMS PASSCODE® Configuration Tool

is automatically adapted according to the components installed on the current machine.

You must now configure the SMS PASSCODE® infrastructure and save the settings before

the SMS PASSCODE® installation is complete. Please follow the instructions below.

a. In case you have installed the Load Balancing Service, Transmitter Service or

the Web Administration Interface component on the current machine, and the

Database Service component is not installed on the current machine, you must

specify where the database server is located. To do this, please specify the host

name of the database server in the field Database host on the Database tab:

b. If you have installed an optional SMS PASSCODE® Authentication Client on the

current machine, you must specify where a transmitter server is located. You can

either specify a list of one or more Transmitter services or a list one or more Load

Balancing services. This is configured on the SMS Transmission tab. To specify a

list of Transmitter servers: Select “Transmitter service” (a) and enter the host name

of the servers running the Transmitter Service. Specify the host name of each

server (b) and add it to the list by clicking the Add button (c):

In case you have installed one or more Load Balancing services: Select “Load

balancing service” (a) and enter the host name of the servers running the Load



Balancing Service. Specify the host name of each server (b) and add it to the list

by clicking the Add button (c):

The authentication client will always try to locate a Transmitter/Load Balancing

server in the specified order, i.e. the order of the servers in the list is of importance.

In case of communication problems with the higher prioritized servers the

authentication client will automatically communicate with lower prioritized servers

(failover).

c. The Network tab lists the TCP ports used for communication between the SMS

PASSCODE® components (cf. section 8.1, page 28). If some TCP port fields are

disabled and cannot be changed, this is because they are not in use by the current

machine. It is recommended to use the default TCP ports proposed. But in case of

TCP port conflicts with other applications you may change some TCP ports on this

tab.

Important: The TCP ports must match each other on all machines having SMS

PASSCODE® components installed. If you plan to change one or more TCP ports,

please change these TCP ports in the same manner on all machines. If this is not

observed, then communication will fail.



Finally you must enter a Shared Secret on the Network tab. This is a secret

password that is used for encrypting all messages exchanged between the SMS

PASSCODE® components. To ensure that security is not compromised, a password

with a minimum length of 15 characters is required. It is recommended to use

letters, digits and special characters in the password:

Important: Always remember to specify a Shared Secret.

Please enter the same Shared Secret on all machines having SMS PASSCODE®

components installed. If this is not observed, then communication will fail.



d. Click the Save button.

In case a warning message appears regarding error prone entries:

Please correct all errors and click the Save button again.

e. Click the Close button. The installation will now continue.



Please note: If you have entered incorrect data in the SMS PASSCODE®

Configuration Tool by accident or if you wish to change some settings later on

(because of infrastructure changes), then you can always run the SMS

PASSCODE® Configuration Tool again manually. A shortcut to this tool is created

in the Windows Start menu:

22. The dialog below appears when the installation has completed. Click the Finish button.



23. The installation of SMS PASSCODE® is now complete on the current machine. You should

now perform any necessary configurations of this machine (cf. section 12). This is

especially important if you have just installed the Database Service and Web

Administration Interface on the current machine. In this case, you should now start the

Web Administration Interface and a) authorize all servers planned to run the Transmitter

Service, b) authorize all servers planned to run the Load Balancing Service, and c) create

all connected GSM modems in the database.

24. If more machines are part of this Multi Server Installation: Please go back to step 1 (page

76) and follow the same instructions for the next machine.



12 SMS PASSCODE® CONFIGURATION

After having completed the SMS PASSCODE® installation you should perform some

configurations, before SMS PASSCODE® is ready for use:

1) Use the Web Administration Interface for the following tasks:

a. Configuring SMS PASSCODE® settings.

i. Configuring general settings

ii. Configuring passcode settings

iii. Configuring AD Integration settings

iv. Updating license information

b. Maintaining SMS PASSCODE® users.

c. Maintaining SMS infrastructure

i. Maintaining GSM modems

ii. Maintaining transmitter servers

iii. Maintaining load balancing servers

iv. Maintaining modem groups and load balancing policies

Please read section 12.1 for a description of the above.

2) Configuration of SMS PASSCODE® Authentication Clients:

a. Configuration of the Citrix Web Interface Protection component.

Please read section 12.3 (page 153).

b. Configuration of the RADIUS Protection component.


c. Configuration of the ISA/TMG Web Site Protection component.

Please read section 0 (page 198).

d. Configuration of the IIS Web Site Protection component.


e. Configuration of the Windows Logon Protection component.


f. Configuration of the CAGAE Protection component.


Additionally, the SMS PASSCODE® Configuration Tool allows you to perform various tasks, like

re-configuring the SMS PASSCODE® infrastructure and changing settings for some authentication

clients. Please read section 12.9 (page 226) for more details regarding the configuration tool.



12.1 Web Administration Interface

Using the SMS PASSCODE® Web Administration Interface (WAI) you can:

Configure SMS PASSCODE® settings

Maintain SMS PASSCODE® users

Maintain transmitter servers (Multi Server installation only)

Maintain load balancing servers (Multi Server installation only)

Maintain GSM modems

Maintain modem groups (Multi Server installation with load balancing servers only)

Maintain load balancing policies (Multi Server installation with load balancing servers only)

Maintain license information

In the following subsections WAI is used as a shorthand for Web Administration Interface, and

WAI server designates the server on which WAI is installed.

By default, only members of the Administrators group have permissions to access the WAI. Non-

administrators can be granted permission to access the WAI by adding them to the user group

“SMS PASSCODE Administrators”.

12.1.1 Starting the Web Administration Interface

You can start WAI in three different ways:

1. You can start WAI using a shortcut created on the desktop of the WAI server:



2. You can start WAI using a shortcut created in the Windows Start Menu of the WAI server:

3. WAI is also available from any computer on the network using a web browser as long as

this computer can connect to the WAI server on TCP port 200014. Connect to WAI using

the URL http://ip-address:2000, where ip-address should be replaced with the IP address of

the WAI server. By default, only administrators of the WAI server have access to the WAI

using a web browser.

14

Port 2000 is the default TCP port for the Web Administration Interface. The port may be changed during installation.

http://ip-address:2000/



The following user interface is shown on the first start up of WAI:

The left part of the user interface is a navigation menu. Please notice, that this navigation menu is

dynamically adapted according to the different data and settings in the WAI. I.e. the navigation

menu might in your case contain other menu items than shown above.

The complete list of possible menu items is:

Users

Maintain users

Maintain SMS PASSCODE® users, i.e. create, edit and delete users.

Please read section 12.1.2 (page 103) for details.

Import users

Import SMS PASSCODE® users from a comma-separated file.




Transmission

Transmitter Hosts

Maintain Transmitter servers, e.g. authorize additional Transmitter servers.


This menu item is only available in a Multi Server Installation.

Load Balancing Hosts

Maintain Load Balancing servers, e.g. authorize additional Load Balancing servers. Please

read section 12.1.5 (page 112) for details.

This menu item is only available in a Multi Server Installation.

Modems

Maintain GSM modems, e.g. create additional GSM modem entries.


Modem Groups

Maintain modem groups, which are used by Load Balancing Policies.


This menu item is only available in a Multi Server Installation, and only when at least one

Load Balancing Service is in use.

Load Balancing Policies:

Maintain Load Balancing Policies. Please read section 12.1.8 (page 122) for details.

This menu item is only available in a Multi Server Installation, and only when at least one

Load Balancing Service is in use.

Monitoring

Modems:

Inspect the current live status of all GSM modems.


Settings

General

Maintain general settings, e.g. enable AD Integration.


Passcode

Maintain passcode specific settings, e.g. passcode length and lifetime.


AD Integration

Maintain AD Integration settings. Please read section 12.1.12 (page 142) for details.

This menu item is only available, when AD Integration has been enabled.

License

Maintain license information, e.g. when additional licenses have been acquired. Please

read section 12.1.13 (page 151) for details.



After the installation of SMS PASSCODE® the recommended order of actions is:

1. Configure the general settings and the passcode settings.

2. AD Integration enabled in step 1?

a. Yes: Configure the AD Integration settings.

b. No: Create users manually.

3. Single Server Installation?

a. Yes: Optionally create additional GSM modems, if you have several modem

licenses for failover.

b. No: Optionally create additional GSM modems and Transmitter servers, if failover is

required. Optionally create Load Balancing servers, if failover and load balancing is

required. Optionally create modem groups and Load Balancing Policies, if advanced

load balancing is required.

The following subsections describe in detail the individual menu items of the WAI.

12.1.2 Maintaining Users

The menu Maintain users of the WAI is used for maintaining SMS PASSCODE® users. Only

users listed on this page will be granted access by SMS PASSCODE®.

Users can be maintained in two different ways – manually or using Active Directory integration.

You can use both ways at the same time. I.e. you can decide to maintain some users manually,

while other users are maintained using Active Directory Integration.

Active Directory Integration is disabled by default. You can enable it using the general settings

menu item (cf. section 12.1.10, page 139).



12.1.2.1 Adding Users Manually

This section describes how to manually add a new SMS PASSCODE® user. Please note, that you

also can bulk import users from a comma-separated file (cf. section 12.1.3, page 110).

To add a new user, follow the instructions below:

1. On the Maintain users page enter the data of the new user:

a. Enter the user name (mandatory).

If using a single domain for authentication, you can just enter the user name without

any domain name prefix. However, if you are planning to create users from different

domains, you should always enter the user name in the format domain\username to

avoid name conflicts in case some users from different domains have identical user

names.

b. Enter the user’s mobile phone number (mandatory).

You may explicitly enter an international phone number prefix (e.g. +44). If no prefix

is entered, then the default prefix is assumed. The default prefix is configured on the

general settings page (cf. section 12.1.10, page 139).

c. Enter the user’s PIN code (optional).

This is only necessary if you require the user to enter an additional PIN code during

SMS PASSCODE® authentication.

d. Enable/Disable flash SMS for the user (optional).

You may disable flash SMS if a user’s cell phone does not accept flash SMS for

some reason. The default setting for flash SMS is configured on the general settings

page (cf. section 12.1.10, page 139).

Flash SMS have two advantages: 1) They normally pop up automatically on the



user’s cell phone, and 2) They are normally not stored on the cell phone after

usage.

e. Click the Add new user button.

2. The new user appears highlighted in the list of users:

3. To verify the user’s mobile phone number, you can click the Test SMS button. This will

trigger a transmission of a test SMS to the specified mobile phone number.

4. Please note that the remaining number of user licenses is updated every time you create a

new user. In this way you will instantly notice if you are running low on user licenses.



12.1.2.2 Deleting Users Manually

This section describes how to manually delete an SMS PASSCODE® user. You can manually

delete only users that have been created manually. I.e. you cannot delete users that have been

imported using Active Directory Integration.

To delete an SMS PASSCODE® user, follow the instructions below:

1. On the Maintain users page, click the Delete button to the right of the user to be deleted:

2. A dialog box appears asking you to confirm the deletion. Click OK.

3. The user has now been removed from the SMS PASSCODE® user list.



12.1.2.3 Adding and Deleting Users Using AD Integration

When Active Directory Integration has been enabled you can also maintain users using one or

more selected groups in Active Directory. All users belonging to these AD groups are automatically

added to the SMS PASSCODE® user list on the Maintain users page. When a user is removed

from one of the selected AD groups, then the user is automatically removed from the SMS

PASSCODE® user list.

Please note, that when users are added or removed from a selected AD group, then these

changes will not occur immediately in the SMS PASSCODE® user list because SMS PASSCODE®

checks for AD changes only periodically. If you wish to force a change in the Active Directory to

take effect in SMS PASSCODE® immediately, you can manually force an instant refresh. To force

a refresh, click the Sync now button on the Maintain users page:

If some users are not imported into the SMS PASSCODE® user list from the Active Directory, even

though they are member of a selected AD group, this will be displayed as “Users skipped”:



Users might be skipped due to the following reasons:

Lack of user licenses. Please check the number of remaining licenses.

Missing or incorrect mobile phone number. Please check the content of the field in Active

Directory containing the mobile phone number.

The same user is being imported multiple times (only possible when multi domain mode is

enabled and several AD imports have been setup to import users from the same domain).

Please inspect the Windows event viewer to get the exact details regarding any skipped users. The

AD synchronization event entry will contain the details.

12.1.2.4 Editing Users

If you need to change data or settings for an existing SMS PASSCODE® user, then you can edit

the user. You always have these options for maintaining a user’s data:

Enable/disable PIN code.

Resetting existing PIN code (if PIN code is enabled).

Enable/disable flash SMS.

Lock/unlock user

For manually created users, you can also edit the user name or mobile phone number. This is not

possible for users imported using AD Integration, because in this case these attributes are

maintained in the AD.

To edit a user, please follow the instructions below:

1. Click the Edit button to the right of the user to be edited:



2. The user is now ready for editing:

a. You can change the user name in this field

(the field is locked for changes if the user is imported using AD Integration).

b. You can change the mobile phone number in this field

(the field is locked for changes if the user is imported using AD Integration).

c. Check/Uncheck this checkbox to enable/disable a PIN code for this user.

d. If a PIN code is enabled for this user, then you can enter/change the PIN code in

this field.

e. Check/Uncheck this checkbox to enable/disable flash SMS for this user.

f. You can manually lock out a user by checking this checkbox. If a user has been

locked out automatically, you can unlock the user by clearing this checkbox.

g. Click the Update button to save all changes.

h. Click the Cancel button to undo all changes.



12.1.3 Importing Users

Instead of creating each user manually you can also bulk import users into SMS PASSCODE®. To

perform an import, you need a comma-separated (CSV) file containing the user data.

To start the import process, select Import users in the navigation menu:

The Import users page contains information regarding the expected syntax of the comma-

separated file. The file must at least contain two fields per line containing the user name and

mobile phone number of each user, respectively.

Please note, that it is also possible to initiate the import of users using a command line tool. This is

especially useful if you would like to schedule an automated periodic import or synchronization of

users from a comma-separated file. Please read section 12.2 (page 152) for more details regarding

this.



12.1.4 Transmitter Hosts

An SMS PASSCODE® Single Server Installation always contains one single Transmitter service,

whereas a Multi Server Installation might contain several Transmitter services on different servers.

When using several Transmitter services in a Multi Server Installation setup, you must authorize

each Transmitter service. Authorization is carried out by specifying the host name of each server

allowed to run the Transmitter service. The procedure for this is described in the following

subsection.

IMPORTANT – authorize before installation:

Remember to authorize each Transmitter service BEFORE it is installed. If this is not observed,

then the Transmitter service will shut down after installation because of missing authorization. You

will then need to manually restart the Transmitter service after it has been authorized.

12.1.4.1 Maintaining Authorized Transmitter Servers

To authorize a Transmitter server, please follow the instructions below:

1. Select the Transmitter Hosts page.

2. Add the authorized server to the list of authorized Transmitter servers:

a. Enter the host name (or IP-address) of the server to be authorized.

b. Click the Add button.



3. The server has now been added to the list:

If you need to correct the name of the server afterwards, then click the Edit button to the right of

the authorized Transmitter server.

If you need to remove the authorization, then click the Delete button to the right of the authorized

Transmitter server.

12.1.5 Load Balancing Hosts

A SMS PASSCODE® Single Server Installation never contains any Load Balancing service,

whereas a Multi Server Installation might contain one or more Load Balancing services (on

different servers).

When using Load Balancing services in a Multi Server Installation setup, you must authorize each

Load Balancing service. Authorization is carried out by specifying the host name of each server

allowed to run the Load Balancing service. The procedure for this is described in the following

subsection.

IMPORTANT – authorize before installation:

Remember to authorize each Load Balancing service BEFORE it is installed. If this is not

observed, then the Load Balancing service will shut down after installation because of missing

authorization. You will then need to manually restart the Load Balancing service after it has been

authorized.



12.1.5.1 Maintaining Load Balancing Servers

To authorize a Load Balancing server, please follow the instructions below:

1. Select the Load Balancing Hosts page.

2. Add the authorized server to the list of authorized Load Balancing servers:

a. Enter the host name (or IP-address) of the server to be authorized.

b. Click the Add button

3. The server has now been added to the list:

If you need to correct the name of the server afterwards, then click the Edit button to the right of

the authorized Load Balancing server.

If you need to remove the authorization, then click the Delete button to the right of the authorized

Load Balancing server.



12.1.6 GSM Modems

You can connect up to 32 GSM Modems to each Transmitter service. To inform each Transmitter

service which modems to initialize and use, you must add each modem to the database.

Please note, that you can add and remove modems on-the-fly, e.g. you can connect more modems

and create them in the database without restarting any Transmitter service – which means zero

downtime while reconfiguring modems.

The following subsections describe how to add, edit and remove modem settings.

12.1.6.1 Adding GSM Modems

Whenever you have connected an additional GSM modem to a Transmitter service, you must add

the settings for this modem to the database. The Transmitter service will not make use of the new

modem before it has been added to the database.

To add a new GSM modem, please follow the instructions below:

1. Select the Modems page.

2. Enter the settings for the new modem:

a. Select the Transmitter server to which the new modem has been connected.

b. Select the serial port to which the modem has been connected.

c. Enter the PIN code for the SIM card in the GSM modem. Leave this field empty if

the SIM card is not protected by a PIN code.

d. Click the Add new modem button.



3. The GSM modem has now been added to the database and is shown in the modem list:

4. The new modem is now automatically initialized on-the-fly if the Transmitter service is up

and running on the specified server and the modem has been connected to the specified

serial port. If you would like to verify this, then inspect the SMS PASSCODE Transmission

event log on the Transmitter server.

Notice, that the number of remaining modem licenses is updated every time you add a new

modem:

12.1.6.2 Deleting Modems

Whenever you are planning to disconnect a GSM modem from a Transmitter service, you should

remove this modem from the database beforehand. This allows the Transmitter service to

terminate the modem gracefully before it is disconnected.



To remove a GSM modem, please follow the instructions below:


2. Click the Delete button to the right of the modem to be deleted:

3. A dialog box appears, asking you to confirm the deletion. Click OK.

4. The modem has now been removed from the modem list.

5. If the modem has not already been disconnected, then the modem is now automatically

terminated on-the-fly (if the Transmitter service is up and running on the specified server).

The modem is terminated gracefully, i.e. any queued SMS messages will be sent before

the modem is terminated. If you would like to verify the modem termination, then inspect

the SMS PASSCODE Transmission event log on the Transmitter server.



12.1.6.3 Editing Modems

This section describes how to edit the settings of a GSM modem in the database. Editing might be

necessary in the following cases:

A modem has been moved to another Transmitter server.

A modem has been moved to another serial port.

The PIN code of a SIM card has changed (e.g. because a new SIM card has been

inserted).

A modem should be disabled temporarily.

To edit a modem, please follow the instructions below:


2. Click the Edit button to the right of the modem to be edited:



3. The modem is now ready for editing:

a. Check/uncheck this checkbox to enable/disable a modem. This is useful for

temporary disabling a modem without deleting it.

b. Change the Transmitter server using this drop-down list, e.g. if a modem has been

moved from one Transmitter server to another.

c. Change the serial port using this drop-down list, e.g. if a modem has been moved

from one serial port to another.

d. Enter/change the PIN code of the SIM card in the modem. Leave this field empty, if

the SIM card is not protected by a PIN code.

e. Click the Update button to save all changes.

f. Click the Cancel button to undo all changes.

12.1.7 GSM Modem Groups

All GSM modems created in the database can be grouped into modem groups. The modem groups

are maintained on the Modem Groups page. Please notice, that this page is only available when

at least one Load Balancing Host has been authorized. This is due to the fact that modem groups

are only useful when using Load Balancing servers and Load Balancing Policies, because modem

groups are used by Load Balancing Policies to restrict the load balancing to subsets of all modems

in specific circumstances. E.g. you can group the modems according to country location or GSM

service provider.

The following subsections describe how to create, edit and delete modem groups.

NOTE: Please note, that the built-in modem group All modems is a dynamic group which will

always contain all modems currently created in the database. You cannot edit or delete this

modem group.



12.1.7.1 Creating Modem Groups

To create a new modem group, follow this procedure:

1. Select the Modem Groups page.

2. Create a new modem group:

a. Enter the name of the new modem group.

b. Click the Add button.



3. The modem group has now been created and is shown in the modem group list:

12.1.7.2 Editing Modem Groups

You can edit a modem group to change the name of the group and to add/remove modem

members. To edit an existing modem group, please follow this procedure:


2. Click the Edit button to the right of the modem group to be edited.



3. The modem group is now ready for editing:

a. Change the name of the modem group, if needed.

b. Check/uncheck modems as needed, leaving only those modems checked that

should be members of the modem group in question.

c. Click the Update button to save all changes.

d. Click the Cancel button to undo all changes.

4. All changes are immediately pushed to all Load Balancing services, thereby being taken

into account on-the-fly.



12.1.7.3 Deleting Modem Groups

To delete an existing modem group, please follow this procedure:

IMPORTANT: Please note when deleting a modem group that all Load Balancing Policies referring

to this modem group will be deleted as well.


2. Click the Delete button to the right of the modem group to be deleted:

3. A dialog box appears, asking you to confirm the deletion. Click OK.

4. The modem group has now been removed from the modem group list.

12.1.8 Load Balancing Policies

Load Balancing Policies (LB Policies) allow for advanced load balancing and failover of SMS

transmissions. LB Policies are maintained on the Load Balancing Policies page. This menu item

is only available when at least one Load Balancing Host has been authorized (since LB Policies

are used by Load Balancing services only).

The configuration of LB Policies is very flexible and allows for many different setups. The following

subsections describe in detail, how the LB Policies are configured. First Section 12.1.8.1 explains

the overall idea of having a sequence of LB Policy items. The subsequent sections describe, how

the individual LB Policy items are maintained, i.e. how you can create, re-arrange, delete and edit

LB Policy items. Following the detailed explanation, section 12.1.8.6 (page 133) lists a couple of

examples on how you could configure the LB Policies to fulfill specific requirements.



12.1.8.1 Load Balancing Policy Sequence

LB Policies are configured by creating a sequence of prioritized LB Policy items, e.g. a specific

sequence could consist of LB Policy items 1 to 5. Whenever a Load Balancing service is receiving

an authentication request, it will evaluate the sequence of LB Policy items to determine the action

to be taken. The sequence is always evaluated in strict order from the first to the last item. I.e. if

the sequence consists of n LB Policy items, then the items are evaluated in this order:

LB Policy 1

LB Policy 2

LB Policy 3

…

LB Policy n-1

LB Policy n

The Load Balancing service will stop the evaluation of the sequence as soon as the first matching

LB policy is found. I.e. the LB Policy sequence can be seen as an “if-then-else” chain:

IF LB Policy 1 applies THEN use LB Policy 1

ELSE IF LB Policy 2 applies THEN use LB Policy 2

ELSE IF LB Policy 3 applies THEN use LB Policy 3

…

ELSE IF LB Policy n-1 applies THEN use LB Policy n-1

ELSE use LB Policy n

Please note, that the last LB Policy item of the sequence will always be a built-in default LB

Policy which applies to all authentication requests. This is to ensure, that every authentication

request is handled even though no other LB Policy of the sequence would apply.

The possibilities using LB Policies are very wide-ranging. You can create any number of LB Policy

items and you can re-arrange the order of them as needed afterwards.

The subsequent sections describe how you maintain the individual LB Policy items of the

sequence.

Section 12.1.8.2 (page 124) describes how new LB Policy items are added to the

sequence.

Section 12.1.8.3 (page 125) describes how LB Policies are re-arranged within the

sequence.

Section 12.1.8.4 (page 126) describes how LB Policy items are removed from the

sequence.

Section 12.1.8.5 (page 127) explains the settings of each LB Policy item, and how they are

configured.

Please note, that you can make any number of changes to the LB Policy sequence without

affecting any current behavior. All changes do not take effect until you click the Save button. I.e. as

long as the Save button has not been clicked, you can undo all changes by leaving the page or

clicking the Cancel button. However, when clicking the Save button, all changes are immediately

pushed to all Load Balancing services on-the-fly and will take effect immediately.



12.1.8.2 Adding New LB Policy Items

To add a new item to the LB Policy sequence, proceed as follows:

1. Select the Load Balancing Policies page.

2. Scroll up/down the page to find the correct position in the sequence.

3. Click the Add new policy here link at the position where the new LB Policy item should be

added.

4. A new LB Policy item with default settings is now added to the sequence. Configure this

item according to your requirements.

5. No changes are saved until you click the Save button.



12.1.8.3 Re-Arranging LB Policy Items

You can always re-arrange the LB Policy items within the LB Policy sequence to change priority,

except the last item of the sequence which is a built-in default LB Policy – this LB Policy item is

fixed and cannot be moved.

To re-arrange a LB Policy item, proceed as follows:


2. Scroll up/down the page to find the item to be re-arranged.

3. Click the Move up or Move down link on the item to move it one position up or down in the

sequence, respectively.

4. No changes are saved until you click the Save button.



12.1.8.4 Deleting LB Policy Items

You can delete all LB Policy items in the LB Policy sequence, except the last item of the sequence

which is a built-in default LB Policy – this LB Policy item cannot be deleted.

To delete a LB Policy item, proceed as follows:


2. Scroll up/down the page to find the item to be deleted.

3. Click the Delete this policy link on the item.

4. The LB Policy is removed from the sequence immediately. But please remember, that no

changes are saved, until you click the Save button.



12.1.8.5 Configuring LB Policy Settings

Each LB Policy item contains settings that can be configured according to your specific

requirements. The different settings are explained in this section.

To configure the settings of a LB Policy item, proceed as follows:


2. Scroll up/down the page to find the item to be configured.

3. The LB Policy item shows these settings:



a. Enabled: This check box specifies whether the LB Policy is enabled (active). If you

uncheck this setting, the LB Policy will be skipped during evaluation. This might be

useful for temporary de-activation of the LB Policy.

b. Description: This is just an informative text for your own information. You can use it

to describe the intention of the LB policy.



c. Pre-conditions: This section contains settings, defining when the LB Policy item

should be applied to an incoming authentication request. The following options are

available:

i. Always apply this policy: Check this checkbox if the LB Policy item should

be valid for all incoming authentication requests.

ii. Only apply this policy, if the mobile phone number: Check this checkbox

if the LB Policy item should only be valid for authentication requests resulting

in SMS passcodes being send to specific mobile numbers. E.g. you can

specify that the LB Policy will only be valid for passcodes being sent to

mobile numbers starting with a specific international prefix.

iii. Only apply this policy, if the user name: Check this checkbox if the LB

Policy item should only be valid for authentication requests coming from

specific user names. E.g. you can specify that the LB Policy will only be valid

for user names starting with a specific domain name.

If both checkboxes (ii) and (iii) are checked, then the LB Policy will not be applied

unless both conditions are fulfilled (“AND condition”).

Please note, that although an authentication request passes the specified pre-

conditions, the LB Policy item might still be skipped due to other settings (in the

Passcode type section).



d. If passcode expires: This section contains a setting defining the behavior when a

passcode has expired.

i. Authentication fails (default): Select this option if the authentication should

fail when the passcode has expired. This is the default behavior.

ii. Send new passcode using next valid policy: When this option is selected

and a passcode expires during an authentication attempt, the Load

Balancing service will continue the evaluation of the LB Policy sequence and

look for the next LB Policy item that applies to the current authentication

request. When the next valid LB Policy has been determined, a new

passcode is generated for the same authentication session. This might be

useful for automatic failover in the rare event of GSM network problems or if

the user uses two mobile phones for different purposes. E.g. if an SMS

passcode expires, a new passcode could automatically be send using a

different modem group – or a new passcode could be send to the user’s

secondary mobile phone.



e. Passcode type: This section contains settings regarding the passcode generation

and transmission during an authentication request.

i. Send random SMS PASSCODE using this modem group: Select this

option to generate a random one-time-passcode (OTP) on each new

authentication attempt which will be sent to the user by SMS. This is the

default and recommended behavior to provide real, secure, session-based

two-factor authentication. Select the modem group containing the modems

that are allowed for transmission of the passcodes being generated by the

LB Policy. Selecting All modems will provide traditional, intelligent load

balancing between all modems created in the SMS PASSCODE® database,

whereas selecting a specific modem group will restrict the load balancing to

the modems of this group. E.g. you could restrict the transmission of

passcodes to modems of a specific GSM service provider or modems

located in a specific country.

Please note, that when sending One-Time-Passcodes using GSM modems

(i), you have up to three additional options:

Use next valid policy, if all modems of the selected modem group are

down: When this option is checked, and all modems of the selected modem

group are unavailable for some reason, the Load Balancing service will skip

this LB Policy item, continue the evaluation of the LB Policy sequence and

look for the next LB Policy item that applies to the current authentication

request. In this way, you can select a prioritized modem group to be used by

default, but still have another modem group (e.g. All modems) in another

LB Policy item for failover. When this option is NOT checked, and all

modems of the selected modem group are unavailable for some reason,

authentication will fail and logging on will not be possible.

Use next valid policy, if the shortest queue length exceeds: When

checking this option, you must also enter the longest acceptable queue

length. The Load Balancing service will skip this LB Policy item, continue the

evaluation of the LB Policy sequence and look for the next LB Policy item

that applies to the current authentication request, whenever the current

queue length of all modems in the selected modem group exceeds the



specified longest acceptable queue length. In this way, you can select a

prioritized modem group to be used by default, but still have another modem

group (e.g. All modems) in another LB Policy item for periods of high loads

on the default modems. When this option is NOT checked, the modems of

the selected modem group will always be used, irrespective of the current

queue lengths.

Send passcode to: Select, whether the OTP should be send to the user’s

primary or secondary mobile phone number. If the secondary mobile number

is selected, then the LB Policy item will be skipped for all users, who have

not been assigned a secondary mobile number.

Please note: This option is only available if secondary mobile numbers have

been enabled on the General Settings page.

ii. Use static passcode: Select this option to allow the user to log in using a

pre-defined static passcode on each authentication attempt. The user can

perform several logins with the same passcode.

IMPORTANT: Use this option only in case of emergency. Selecting this

option reduces the security from two-factor to one-factor authentication.

It is possible to enable this option for a subset of users only (using the Pre-

conditions), but you should still only do this in case of emergency, because

the total security level is never better than the weakest link. You should

never configure an LB Policy with static passcodes to be used as automatic

failover when the OTP of a higher prioritized LB Policy item expires. This

would still reduce the security to one-factor-authentication because a hacker

could let the OTP expire on purpose on each authentication attempt.

f. Passcode life time: This section contains settings regarding the life time of the

passcode (i.e. the duration before a passcode expires).

i. Use system default: Select this option if the default passcode lifetime

defined on the General settings page should be used.

ii. Use custom duration: Select this option if you would like to override the

default passcode lifetime and enter a passcode lifetime of own choice

(allowed range: 30-3600 seconds). E.g. when configuring a second

passcode to be sent when the first passcode expires, it might be desirable to

lower the lifetime of the first passcode.

4. No changes are saved, until you click the Save button.



12.1.8.6 Load Balancing Policy Examples

This section shows different examples on how LB Policies can be applied usefully.

Example 1 (Prefix Load Balancing):

A large enterprise has acquired 8 GSM modems which are distributed between 4 different

countries (2 modems at each location): United States, United Kingdom, Germany and France. A

SIM card from a national GSM service provider has been inserted into each GSM modem. Users

from all 4 countries are logging into a Citrix Web Interface. To provide the most efficient SMS

transmission and to lower the SMS transmission costs, it is desirable, that a modem is selected for

each transmission that uses a SIM card with the same international mobile number prefix as the

SIM card of the user requesting the SMS. This is also called prefix load balancing. To achieve

this, you should proceed as follows:

1. Create 4 modems groups, one for each Country. E.g. you could call the modem groups

“US”, “UK”, “DE” and “FR”. For each modem group, assign the two modems located in the

corresponding country.

2. Create a sequence of 5 LB Policies (the last one being the built-in default LB Policy):

Load Balancing Policy

Configuration

#1




Configuration

#2

#3




Configuration

#4

With these LB Policies in place, each SMS passcode will be sent using a modem from the same

country as the user, as long as both modems of the country are available and have a short queue

with 5 pending messages at most. Otherwise, the built-in default LB Policy will take over, i.e. the

message will be load balanced between all available modems, including the modems located in the

other countries.

Example 2 (GSM service provider failover):

A company has acquired 4 GSM modems. Two of the modems are equipped with SIM cards from

GSM service provider A, while the other two modems are equipped with SIM cards from GSM

service provider B. Below, the modems are called Provider A and Provider B modems,

respectively. By default, all passcodes should be sent using the Provider A modems and all users

have been assigned mobile phones with SIM cards from GSM service provider A. However, in

case of any problems with Provider A, the Provider B modems should be used instead. This means

that if the Provider A modems are unavailable or cannot sent any SMS, or if the users do not

receive any SMS from Provider A, then the system should failover to the Provider B modems.

Selected important users have also been given SIM cards from GSM service provider B. The SMS

passcodes should be send to the Provider B mobile number in the failover situation. In this way,

GSM network failover is realized at both the sending and receiving end. To achieve this, you

should proceed as follows:

1. Create 2 modem groups, one called “Provider A” and one called “Provider B”. For each

modem group, allocate the two modems with SIM cards from the corresponding GSM

service provider.



2. Create a sequence of 3 LB Policies (the last one being the built-in default LB Policy):


Configuration

#1




Configuration

#2

12.1.9 Modem Monitoring

The Modem Monitoring page is used to monitor all GSM modems. The page is dynamically

updated to show the live status of every GSM modem attached to the SMS PASSCODE®

infrastructure. The modem monitoring page displays 3 sections of information for each GSM

modem:

a. Modem device information:

i. The COM port that the modem is attached to

ii. Modem description (modem type and revision number)

iii. The IMEI number of the GSM modem



b. Modem state information:

i. Status: Current status of the modem (should be “Ready” or “Sending” under

normal circumstances)

ii. Queue length: The current number of queued messages for the modem.

This number should be close to 0. If this number increases periodically, this

could indicate that too few modems have been assigned to handle the load.

iii. Signal strength: The currently detected GSM signal strength.

iv. SIM ID: A unique identifier for the SIM card inserted into the modem.

v. Operators: Click the hyperlink “Show” to display a list of detectable

operators. Please note, that retrieval of the opeator list can take up to 1

minute and will delay any queued messages.

c. Transmission statistics:

i. Started: The date and time the modem thread was started the last time.

ii. # Successful transmissions: The number of successfully transmitted

messages since the modem thread was started

iii. # Failed transmissions: The number of failed message transmissions since

the modem thread was started

iv. # Modem initializations: The number of attempted modem initializations

since the modem thread was started. Should be 1 under normal

circumstances. If this number is large, then the modem is being re-initialized

periodically which could indicate GSM network problems, e.g. a weak GSM

signal strength.

v. Avg. transmission time: The average time per transmission measured

since the modem thread was started.



12.1.10 General Settings

The General settings page allows configuration of the following miscellaneous settings:

Changes do not take effect until you click the Save button.

Setting Explanation

Default prefix for mobile numbers

This prefix is automatically added to the beginning of each user’s mobile phone number if no explicit international prefix is specified. You can always explicitly specify another prefix for individual users.

Enable AD Integration

This setting controls whether the AD Integration feature is enabled. You can enable the AD Integration in two different modes:

Single domain mode: Users are imported from a user group in a single domain.

Multi domain mode: Users are imported from several user groups, possibly from separate domains.

Please read section 12.1.12.1 (page 142) for more details regarding the difference of the AD Integration modes.

Default setting for Flash SMS

This setting specifies whether new users should have flash SMS enabled or disabled by default. You can always override this setting for individual users. It is recommended to keep the Flash SMS setting enabled by default unless Flash SMS is not supported by your GSM service provider in general.

Secondary mobile numbers

When this setting is enabled, you can optionally allocate a secondary mobile number to each user. Secondary numbers can be used during configuration of Load Balancing Policies for failover scenarios.



12.1.11 Passcode Settings

The Passcode settings page allows configuration of several settings regarding the generation of

passcodes send to the users’ cell phones:

Changes do not take effect until you click the Save button.



Setting Explanation

Passcode length This setting controls the length of the generated passcodes, i.e. the number of characters in each passcode. Longer passcodes mean higher security because the probability of guessing a passcode decreases. Shorter passcodes are easier to enter for the users, on the other hand. The default setting is: 6. Allowed range: 5-20.

Passcode type This setting defines whether the generated passcodes are only allowed to contain digits, or a combination of digits and letters. Passcodes containing only digits are usually easier to enter for the users. Passcodes containing both digits and letters, on the other hand, are more secure because there are more combinations, meaning less probability of guessing a passcode.

SMS PASSCODE® 4.0 offers a new option called memoPasscodes™. memoPasscodes™ are constructed in a special way, making them easier for users to memorize, thereby providing improved user convenience during authentication. At

the same time, memoPasscodes™ still offer maximum security by building the passcodes using random patterns. memoPasscodes™ is the recommended passcode type. The default setting is: memoPasscodes™

Passcode life time This setting controls for how long a passcode is valid15 after it has been sent to the user. A user must complete the logon within this time limit to be successfully authenticated using SMS PASSCODE®. The default setting is 120 seconds = 2 minutes. Allowed range: 30-3600 seconds (30 seconds - 1 hour)

15

When using Load Balancing Policies, it is possible to overrule this setting and define different Passcode life times for different cases.



12.1.12 Active Directory Integration Settings

Active Directory Integration makes it possible to maintain SMS PASSCODE® users in one or more

Active Directories. No schema extension of any of your ADs is necessary to make use of this

functionality. You simply select a group of own choice in (each) AD to contain SMS PASSCODE®

users and the SMS PASSCODE® database service will automatically synchronize all users, being

members of this/these group(s), to the SMS PASSCODE® user database. The Active Directory

Integration supports several advanced features:

Multi domain support: It is possible to import users from one or several separate AD

domains.

Group nesting: The chosen AD group may contain other groups in a nested hierarchy,

thereby making administration of SMS PASSCODE® users even easier.

Child domains and trusted domains: When using nested groups, all groups and/or users

in the group hierarchy are allowed to be located in child domains and/or trusted domains.

Configurable protocol: Synchronization can occur either using the LDAP or the Global

Catalog (GC) protocol.

Optional secondary mobile number: Up to two mobile numbers can be imported per

user.

Configurable mobile attributes: It is configurable which AD user attribute(s) the mobile

phone numbers are retrieved from.

Configurable user group: It is configurable which AD group should contain your SMS

PASSCODE® users.

Data transformations: Data transformations can be applied to all imported user names

and mobile phone numbers.

Using nested group from child domains / trusted domains

Please note that in order to make use of nested groups from Child Domains and/or Trusted

Domains, an AD user account that has read-access to all involved domains (or Global Catalog

servers) must exist. If the SMS PASSCODE® Database Service is not started using this user

account, the credentials of this user account must be specified as part of the AD Integration

settings.

Alternatively, instead of using nested groups from child/trusted domains, you could enable Multi

domain mode and enter settings (credentials) for each child/trusted domain explicitly.

12.1.12.1 Single Versus Multi Domain Mode

Active Directory integration can be enabled in two different modes: Single domain mode and

multi domain mode.

Single domain mode is the traditional way to implement Active Directory Integration, i.e. the AD

Integration works in this mode exactly as in the previous versions of SMS PASSCODE®. In this

mode, a single user group is selected in a single AD, and all users being member of this group are

synchronized to the SMS PASSCODE® database. Please note, that the synchronization might

nevertheless span several AD domains, because the selected group might contain nested groups,

including nested groups from child domains and trusted domains. All users from nested groups are

synchronized as well.



The multi domain mode allows the setup of “multiple AD Integrations”. I.e. you can think of this

mode as working exactly like the “single domain mode”, except that you can now configure several

AD integrations, each having individual settings and synchronizing in parallel.

The single domain mode is recommended for companies or organizations having one AD domain

(forest). The multi domain mode is especially useful for hosting providers that are hosting multiple

separate domains for different customers.

12.1.12.2 Single Domain Mode

This section describes how to configure AD Integration in single domain mode.

Simple setup

In the simplest case, if the SMS PASSCODE® database service is running on a domain member

server (or domain controller), and no child or trusted domains are involved, you will typically need

to do only the following to enable Active Directory Integration:

1. Select the General settings page.

2. Enable Active Directory Integration in single domain mode:

a. Select the Enabled (single domain mode) option.

b. Click the Save button.

After this, Active Directory Integration is ready for use – simply create a group called SMS

PASSCODE USERS in your AD and add users or nested groups to this group.



Advanced setup

In more complex cases, where a) the SMS PASSCODE® database service is NOT running on a

domain member server (e.g. because it is located in a DMZ), or b) nested groups from child

domains or trusted domains are involved, or c) you wish to change some of the more advanced

settings, please follow the instructions below:

1. Enable AD Integration in single domain mode according to the instructions above (“Simple

setup”).

2. You are now ready to configure the AD settings. Go to the AD Integration page:

3. Configure the AD Settings:

a. AD refresh interval: Enter into this field how often the AD synchronization engine

should check for changes in the AD. The default value is every 5 minutes.



b. Data Repository: Select the protocol for synchronization. LDAP is normally

recommended, but the Global Catalog protocol might provide performance

advantages in environments with one or more child domains, because all

information can be collected from the Global Catalog server instead of contacting

each child domain controller sequentially.

c. AD Server: If the SMS PASSCODE® database service is running on a domain

member server (or domain controller), then you can leave this field empty. The

database service will then automatically locate a domain controller of the domain, to

which it belongs. You may specify the host name or IP address of a domain

controller anyhow, if you would like the AD synchronization to always communicate

with a specific domain controller.

On the other hand, if the SMS PASSCODE® database service is NOT running on a

domain member server (or domain controller), then you must specify either the DNS

name of a domain, or the host name or IP address of a domain controller that

should be used for AD synchronization.

d. AD Credentials: By default the SMS PASSCODE® Database Service will connect

to the AD using the permissions of the user account executing the Database

service. If this is sufficient, e.g. because the Database service is running on a

domain member server or a domain controller, then you can leave this field empty.

AD credentials are normally only necessary if the SMS PASSCODE® database

service is NOT running on a domain member server (or domain controller), or if a

specific user account is needed for read access to child domains and/or trusted

domains. In this case, you should specify AD credentials (user name and password)

for a user account having read access to all involved Active Directories.

e. AD Group: Enter the name of the AD group containing all SMS PASSCODE® users

into this field. The default name is SMS PASSCODE USERS.

f. AD Group Base DN: When searching for the group entered in (e), SMS

PASSCODE® will by default search from the root of the root domain naming context.

If you wish to restrict the search (e.g. to a child domain), please specify a base DN.

This base DN will then be used as the root of the search. Example of a base DN:

OU=DepartmentEast,DC=testdomain,DC=com

g. Finally, you can perform an AD authentication test by clicking the Test AD

authentication button. This will perform an authentication test and verify whether

your settings are correct. The test verifies:

i. If a domain controller can be located.

ii. If it is possible to authenticate and read data from the AD of the located

domain controller.

iii. If the specified AD group can be located.



Further settings are available by scrolling down the page:

h. User name attribute: Select, which LDAP attribute contains the user name. SAM-

Account-Name is the recommended default setting that works with all

authentication clients. Select User-Principal-Name (UPN) only when you have a

specific requirement for users authenticating using UPN syntax and the

authentication client in question does not convert the user names to SAM account

format by itself.

i. Mobile number attribute(s): Enter into this field the LDAP name of the AD user

attribute16 that contains the mobile phone number to be extracted for each user. You

can even specify multiple attributes separated by a comma. In this case the

synchronization engine will perform a prioritized search for the mobile phone

number. E.g. if you enter “mobile,otherMobile”, then the synchronization

engine will first look for each user’s mobile phone number in the user attribute

mobile. If this field does not contain any mobile number, then the field

otherMobile is searched.

Please note: Users not having any valid mobile phone number in any of the

specified attributes will be skipped during AD synchronization, i.e. these users will

not be able to authenticate using SMS PASSCODE®.

j. Secondary mobile number attribute(s): This option is only available when

Secondary mobile numbers have been enabled on the General Settings page.

You should only enter anything into this field if you would like to allocate secondary

mobile numbers to users and provide mobile phone (GSM receiver) failover for

these users using Load Balancing Policies. In this case, enter into this field the

16

When using LDAP, you can enter any valid LDAP attributes (http://msdn.microsoft.com/en-us/library/ms683980(VS.85).aspx). However, when using the Global Catalog, you must ensure that the specified attributes are actually replicated to the Global Catalog. E.g. the default attribute mobile is in fact NOT replicated to the Global Catalog by default. For more information about how to add attributes to the Global Catalog, please read http://technet2.microsoft.com/windowsserver/en/library/8c76ff67-9e9d-4fc7-bfac-ffedee8a04d41033.mspx and http://technet2.microsoft.com/windowsserver/en/library/42ae2845-a7aa-4f02-8944-175f6541125f1033.mspx

http://msdn.microsoft.com/en-us/library/ms683980(VS.85).aspx

http://msdn.microsoft.com/en-us/library/ms683980(VS.85).aspx

http://technet2.microsoft.com/windowsserver/en/library/8c76ff67-9e9d-4fc7-bfac-ffedee8a04d41033.mspx

http://technet2.microsoft.com/windowsserver/en/library/8c76ff67-9e9d-4fc7-bfac-ffedee8a04d41033.mspx

http://technet2.microsoft.com/windowsserver/en/library/42ae2845-a7aa-4f02-8944-175f6541125f1033.mspx

http://technet2.microsoft.com/windowsserver/en/library/42ae2845-a7aa-4f02-8944-175f6541125f1033.mspx



LDAP name of the AD user attribute16 that contains the secondary mobile phone

number to be extracted for each user. You can even specify multiple attributes

separated by a comma. In this case the synchronization engine will perform a

prioritized search for the secondary mobile phone number. E.g. if you enter

“pager,otherMobile”, then the synchronization engine will first look for each

user’s secondary mobile phone number in the user attribute pager. If this field does

not contain any mobile number, then the field otherMobile is searched.

IMPORTANT: Changes do not take effect until you click the Save button.

Note: The page contains some additional settings regarding data transformations. These settings

are described in section 0, page 149.

12.1.12.3 Multi Domain Mode

This section describes how to configure AD Integration in multi domain mode.

Basically, in multi domain mode, you can create any number of domain settings entries. Each

entry represents an AD synchronization with its own settings which can be configured exactly like

the AD settings in single domain mode.

The procedure is as follows:

1. Select the General settings page.

2. Enable Active Directory Integration in multi domain mode:

a. Select the Enabled (multi domain mode) option.

b. Click the Save button.



3. Now go to the AD Integration page to configure the AD settings. Here you can add, edit

and delete domain settings entries.

a. To add a new entry, click the Add new domain button, configure the new entry, and

click Save.

b. To edit an entry, click the Select link on the entry, change the settings, and click

Save.

c. To delete an entry, click the Delete button on the entry.

In general, the settings on each Domain settings entry are similar to the settings in single domain

mode (cf. section 12.1.12.2 above). However, there are some additional settings:

Description: You can assign a description to each Domain settings entry. This description

is shown in the table of all Domain settings entries and is useful for identification when you

have a lot of entries. It can also be used when searching for specific entries using the Filter

feature.

Enabled: Using this option you can enable and disable individual AD synchronizations.

Default mobile number prefix: Using this option you can overrule the default mobile

number prefix defined on the General Settings page. I.e. you can define a default mobile

number prefix that is used for all users created using this specific AD synchronization.

Default setting for flash SMS: Using this option you can overrule the default setting for

flash SMS defined on the General Settings page. I.e. you can define a flash SMS setting

that is used for all users created using this specific AD synchronization.



12.1.12.4 Data Transformations

When importing users from Active Directories, or custom CSV-files, it might sometimes be useful to

apply some kind of data transformations. E.g. all mobile numbers in an AD might be prefixed with a

zero (“0”) due to some technical reasons for calling the number from the office. In this case, it

would be useful to apply a data transformation that would remove any leading zeroes from all

mobile numbers. This is actually possibly using the data transformation feature of SMS

PASSCODE®.

Data transformations can be applied to any user names and mobile numbers imported into the

SMS PASSCODE® database. The transformation is specified using regular expression syntax

(please read http://msdn.microsoft.com/en-us/library/6wzad2b2(VS.85).aspx or www.regular-

expressions.info for a detailed description of regular expressions).

Data transformations are configured as part of the AD Integration settings at the bottom of the AD

Integration page:

The procedure for applying a data transformation to user names or mobile phone numbers is the

same. In both cases, you enter a search pattern and a replacement string. During the import of

new data, the search pattern will be applied to all user names and mobile phone numbers being

imported, and in case of any search pattern matches, the matching pattern will be replaced

according to the replacement string. Every user name or mobile phone number not matching the

search pattern will be imported unaltered.

http://msdn.microsoft.com/en-us/library/6wzad2b2(VS.85).aspx

http://www.regular-expressions.info/

http://www.regular-expressions.info/



Below are some data transformation examples:

Example 1: Changing the domain name for imported users from “mydomain” to

“yourdomain”:

o Search pattern: ^mydomain\$.*)$

o Replacement string: yourdomain\$1

o Transformation example:

mydomain\alex yourdomain\alex

Example 2: Changing imported user names from NETBIOS to UPN syntax:

o Search pattern: ^mydomain\\(.*)$

o Replacement string: [email protected]

o Transformation example:

mydomain\alex [email protected]

Example 3: Removing any leading zeroes from mobile phone numbers:

o Search pattern: ^(0*)(.*)$

o Replacement string: $2

o Transformation examples:

234 456 234 456

0 234 456 234 456

00 234 456 234 456

Example 4: Removing parentheses and dashes from mobile phone numbers in the format

“(xxxx) xxxx-xxxxx”:

o Search pattern: ^(\((\d*)$)?\s*(\d*)\s*-?\s*(\d*)$

o Replacement string: $2 $3 $4

o Transformation examples:

(461) 345-456 461 345 456

345 456 345 456



12.1.13 Maintaining License Information

The WAI has also a page for maintaining license information. You will typically only make changes

on this page when you receive a new license code, i.e. when more user or modem licenses have

been acquired.

To change license information, please follow the instructions below:

1. Select the License page.

2. Edit the license information:

a. Change the company name in the Licensed to field, if necessary. This will normally

only be necessary if you have misspelled the company name during installation of

SMS PASSCODE®. Please note that the company name must be spelled exactly as

stated in the license e-mail. If this is not observed, the license code will not be

accepted.

b. Change the License code, if necessary – e.g. if you have received a new license

code. It is recommended to copy&paste the license code from the license e-mail.

c. Click the Save button.

d. Check, if the new license information was accepted.



12.2 Importing and Synchronizing Users from other Data Sources

If you need to import users into the SMS PASSCODE® database from another source than

Microsoft Active Directory, this is possible using comma-separated files. I.e. you should export all

users from your data source to a comma-separated file, and afterwards import this file into the

SMS PASSCODE® database. If the user export/import is a one-time task, you can simply import

the comma-separated file using the SMS PASSCODE® Web Administration interface (cf. section

12.1.3, page 110).

However, if you wish to set up an automated periodic import or synchronization from a comma-

separated file, you should make use of the DbAdmin command line tool.

The DbAdmin tool is installed on the server hosting the SMS PASSCODE® Database Service.

The default path is:

C:\Program Files\SMS PASSCODE\DbAdmin.exe

If you run this tool without any arguments, it will display the expected syntax and valid arguments.

To import users from a comma-separated file, use this syntax:

DbAdmin –user –import “csv file name”

Replace csv file name with the path to your comma-separated file. You can add additional

arguments to obtain different behaviors. Different examples are listed below:

Add new users: Import users from a comma-separated file. Any users already present in

the database are not overwritten. No users are removed from the database:

DbAdmin –user –import “csv file name”

Add new users, overwriting existing users: Import users from a comma-separated file.

Any users already present in the database are overwritten with possibly new data. No users

are removed from the database:

DbAdmin –user –import “csv file name” -replaceExistingUsers

Synchronize users: Import users from a comma-separated file. Any users already present

in the database are overwritten with possibly new data. Any users present in the database,

but NOT present in the comma-separated file, are removed from the database:

DbAdmin –user –import “csv file name” –replaceExistingUsers –removeUsers

Using the DbAdmin tool it is possible to set up a periodic custom synchronization of users from

your specific data source to SMS PASSCODE®. This custom synchronization will work exactly as

the built-in AD Integration. To configure a custom synchronization, please proceed as follows:

Schedule a periodic task, e.g. using the Windows Task Scheduler. This task should perform

the following actions:

a. Export the required users from the data source to a comma-separated file.

b. Call DbAdmin with the generated comma-separated file as input and with the

arguments shown above at Synchronize users.



You can even set up multiple custom synchronizations that will work in parallel on their own subset

of users, analogously to the built-in AD integration running in multi domain mode. And you can

have several custom synchronizations and several AD-integrations run simultaneously. Please

contact [email protected] if you would like to receive more information about this.

12.3 Configuring Citrix Web Interface Protection

If you have installed the optional Citrix Web Interface Protection component, you will normally

not need to perform any further configuration of this.

Manual configuration of the Citrix Web Interface scenario is only necessary if you decide to change

the scenario to a different setting than selected during installation. This might, for example, be the

case if the scenario Disabled was selected during installation, and you would like to activate SMS

PASSCODE® authentication for the Citrix Web Interface afterwards.

The procedure for changing the Citrix Web Interface Protection scenario is:

1. Open the file WebInterface.conf using Notepad. This file is located in the subfolder

Conf of the root folder of the Citrix Web Interface. The default path is:

Citrix Web Interface 4.0 / 4.2: C:\Inetpub\wwwroot\Citrix\MetaFrame\conf\WebInterface.conf

Citrix Web Interface 4.5 / 4.6: C:\Inetpub\wwwroot\Citrix\AccessPlatform\conf\WebInterface.conf

Citrix Web Interface 5.x: C:\Inetpub\wwwroot\Citrix\XenApp\conf\WebInterface.conf

2. Edit the line containing “SMSPASSCODE=xxxx”. Change it to:

SMSPASSCODE=Off:

SMS PASSCODE® is disabled.

SMSPASSCODE=On:

SMS PASSCODE® is enabled (Standalone or Side-By-Side logon).

SMSPASSCODE=Both:

SMS PASSCODE® is enabled (Standalone or Dual logon).

3. Save the WebInterface.conf file.

IMPORTANT

If you have enabled Active Directory Integration, and you are receiving the error message ”No

mobile number for user, please contact your administrator” during Citrix Web Interface logon,

please read section 14.2 (page 233) for solving this problem.




12.4 Configuring RADIUS Protection

If you have installed the optional RADIUS Protection component, you should configure your

RADIUS clients and your RADIUS server (IAS/NPS server). Below IAS/NPS server designates the

server that the SMS PASSCODE® RADIUS Protection component is installed on.

The configuration procedure is slightly different on Windows Server 2003 and Windows Server

2008. Please follow the instructions in section 12.4.1 for Windows Server 2003 and the instructions

in section 12.4.2 for Windows Server 2008.

12.4.1 Configuring RADIUS Protection on Windows Server 2003

The procedure for configuring RADIUS authentication using SMS PASSCODE® on a Windows

Server 2003 is:

1. Configure all RADIUS clients in the usual way by specifying the IAS server as the RADIUS

server. If you are in doubt how to perform the configuration, please refer to the

configuration guide of the specific RADIUS client in question.

Important: The user experience is best for RADIUS clients supporting Challenge

Response. If Challenge Response support is configurable on the RADIUS client, please

enable it.

2. Start the IAS Management Console:

a. Select Run… in the Windows Start menu

b. Enter ias.msc

c. Click OK

3. The IAS Management Console is shown.

4. Now you must create all your RADIUS Clients in the IAS Management Console. If these

have already been created beforehand, you can skip to step 10.



5. To create a RADIUS Client:

a. Right-click the RADIUS Clients node.

b. Select New RADIUS Client.

6. The New RADIUS Client dialog appears.

a. Enter a “friendly name” of the RADIUS Client.

b. Enter the IP address of the RADIUS Client.

c. Click Next.



7. New fields appear in the New RADIUS Client dialog.

a. Enter and confirm the Shared Secret. It must match the shared secret configured

on the RADIUS Client.

b. Click Finish.

8. The RADIUS Client that you have created will appear in the right-hand pane:

9. Repeat steps 5-8 if you need to create more RADIUS Clients.



10. It is recommended to create a Connection Request Policy for SMS PASSCODE®

authentications. To do so, right-click the Connection Request Policies node and select

New Connection Request Policy:

11. The New Connection Request Policy Wizard dialog appears. Click Next.



12. New fields appear in the New Connection Request Policy Wizard dialog. Set up a

custom policy.

a. Select A custom policy.

b. Enter a name for the policy, e.g. SMS PASSCODE authentication.

c. Click Next.

13. Now you should define the conditions that define when this policy is used. Click Add…



14. First you should define that this policy is not restricted by day or time:

a. Select Day-And-Time-Restrictions

b. Click Add…

c. Select Permitted.

d. Click OK.



15. Now you should add the conditions that determine that SMS PASSCODE authentication should occur. E.g. you could add a “Client-IP-Address” condition and filter on the RADIUS client. Finally, after you have added all your conditions of choice, click Next.

16. Click Edit Profile…



17. Now specify that the IAS extension should take full authentication control.

a. Select Accept users without validating credentials

b. Click OK

18. Click Next

19. Click Finish



20. This completes the configuration of RADIUS authentication using SMS PASSCODE®. Please test each RADIUS client to make sure that RADIUS authentication works as expected.

12.4.2 Configuring RADIUS Protection on Windows Server 2008

The procedure for configuring RADIUS authentication using SMS PASSCODE® on a Windows

Server 2008 is:

1. Configure all RADIUS clients in the usual way by specifying the NPS server as the

RADIUS server. If you are in doubt how to perform the configuration, please refer to the

configuration guide of the specific RADIUS client in question.

Important: The user experience is best for RADIUS clients supporting Challenge

Response. If Challenge Response support is configurable on the RADIUS client, please

enable it.

2. Start the NPS Management Console:

a. Select Run… in the Windows Start menu

b. Enter nps.msc

c. Click OK

3. The NPS Management Console is shown.

4. Now you must create all your RADIUS Clients in the NPS Management Console. If these

have already been created beforehand, you can skip to step 9.



5. To create a RADIUS Client:

a. Right-click the RADIUS Clients node.

b. Select New RADIUS Client.



6. The New RADIUS Client dialog appears.

a. Enter a “friendly name” of the RADIUS Client.

b. Enter the IP address of the RADIUS Client.

c. Enter and confirm the Shared Secret. It must match the shared secret configured

on the RADIUS Client.

d. Click OK.



7. The RADIUS Client that you have created will appear in the right-hand pane:

8. Repeat steps 5-7 if you need to create more RADIUS Clients.

9. It is recommended to create a Connection Request Policy for SMS PASSCODE®

authentications. To do so, right-click the Connection Request Policies node and select

New:



10. The New Connection Request Policy dialog appears.

a. Enter a name for the policy, e.g. SMS PASSCODE authentication.

b. Select Type of network access server.

c. Click Next.



12. First you should define that this policy is not restricted by day or time:


b. Click Add…


d. Click OK.



13. Now you should add the conditions that determine that SMS PASSCODE authentication should occur. E.g. you could add an “Access Client IPv4 Address” condition and filter on the RADIUS client. Finally, after you have added all your conditions of choice, click Next.



14. Now specify, that the NPS extension should take full authentication control: a. Select Accept users without validating credentials.

b. Click Next.

15. Click Next

16. Click Finish

17. This completes the configuration of RADIUS authentication using SMS PASSCODE®. Please test each RADIUS client to make sure that RADIUS authentication works as expected.



12.4.3 Advanced Configuration of the RADIUS Protection Component

The sections above describe the standard configuration of SMS PASSCODE® RADIUS Protection.

This is usually sufficient.

However, the SMS PASSCODE® Configuration Tool located in the Windows Start Menu

offers a graphical user interface for maintaining a number of advanced RADIUS settings

which can be configured to tailor the RADIUS Protection component to your specific

RADIUS authentication requirements.

After opening the SMS PASSCODE® Configuration Tool from the Windows Start Menu…

…the application will display a number of tabs. Select the RADIUS Client Protection tab to

configure the advanced RADIUS settings:



The RADIUS Client Protection tab contains three sub-tabs:

Authentication:

This tab contains settings that affect the authentication behavior of the RADIUS

Protection component. Please read section 12.4.3.1 (page 173) for further details.

Authorization:

This tab allows to enable/disable the inclusion of a RADIUS authorization attribute in

each RADIUS accept packet being send to the RADIUS client on successful

authentication, and to configure the authorization attribute. Please read section

12.4.3.2 (page 177) for further details.

Miscellaneous:

This tab contains miscellaneous settings of the RADIUS Protection component

regarding text encoding, challenge/response behavior and more. Please read

section 0 (page 181) for further details.

The different tabs and settings are described in detail in the subsequent sections.

IMPORTANT:

Whenever you change any of the RADIUS Client Protection settings, you must restart the Internet

Authentication Service (Windows Server 2003) or the Network Policy Server service (Windows

Server 2008), before the changes take effect. The SMS PASSCODE® Configuration Tool will

automatically suggest performing this action for you when the changed settings are saved.



12.4.3.1 RADIUS Authentication Settings

The Authentication tab on the RADIUS Client Protection tab contains the following settings:

The settings have the following purposes:

a. Format of user names forwarded to the SMS PASSCODE system

This setting specifies whether the user names should be send to the SMS PASSCODE®

authentication infrastructure in SAM (domain\username) or UPN (username@domain) format.

It is important that the user names are sent in the same format as they are stored in the SMS

PASSCODE® database. If this is not fulfilled, the users will not be recognized and

authentication will fail.



b. Allow login when

By default, the SMS PASSCODE® RADIUS Protection component will reject an authentication

attempt from a user using an expired password or using a password that has been flagged

“must be changed at next logon”. However, you can change this behavior. This might make

sense when a user is requesting remote access using a VPN connection. In this case it might

be acceptable to give the user network access and in this way allow the user to renew/change

the password.

Password has expired: Check this setting to allow successful authentication with a password

that has expired.

Password must change: Check this setting to allow successful authentication with a

password that has been flagged “must change at next logon”.

c. Side-by-side

These settings are used to configure the RADIUS Protection component to work side-by-side

with other RADIUS authentication systems, e.g. hardware-token based two-factor

authentication systems.

If side-by-side functionality is needed in your environment, please consider these two cases:

Case 1: All users can be divided into two separate groups. One group uses only SMS

PASSCODE®, the other group uses only a different system for RADIUS

authentication. In this case you should use the following settings:

Using this setup both groups of users can log in using the standard authentication

workflow that they are used to.



Case 2: You have two different RADIUS authentication systems, but you cannot divide your

users into two separate groups. I.e. some users might use both types of

authentication. In this case you have two options.

1) You can let the users explicitly select the type of authentication that they would

like to use. Use these settings in this case:

Using this setup all users have to trigger SMS PASSCODE® authentication explicitly

by either leaving the password empty or entering the password “sms”. In all other

cases the other RADIUS authentication system will be used.

2) The type of authentication is automatically determined by the type of password

entered. In this case, use these settings…

…and also specify a regular expression into the Skip password

validation for the following type of passwords setting that will identify

the passwords of the other authentication system.

The individual side-by-side settings are described in detail below:

Forward failed request:

i. Unchecked (default behavior):

Failed authentications are not forwarded, i.e. a RADIUS reject package will be sent

back to the RADIUS client whenever SMS PASSCODE® authentication fails.

ii. Checked (forwarding behavior):

Authentication requests are forwarded to another RADIUS authentication system

whenever SMS PASSCODE® authentication fails. Authentication requests can be

forwarded to either another IAS/NPS extension (on the same server) or another

RADIUS server.

RADIUS forwarding

When Forward failed request is enabled, you have the option of forwarding

requests to another IAS/NPS extension or another RADIUS server. Please note,

that you cannot use both types of forwarding at the same time – forwarding to

another IAS/NPS extension on the same server always has highest priority. Please

read section 12.4.4 (page 183) for the additional required actions to make the

IAS/NPS service forward RADIUS requests to another IAS/NPS extension or

another RADIUS server.

WARNING:

When enabling “forwarding behavior”, always ensure that authentication is

forwarded correctly to another authentication system. Otherwise, all users will have

access without any authentication!



Explicit side-by-side:

i. Unchecked (default workflow):

SMS PASSCODE® authentication is always performed first. In case SMS

PASSCODE® authentication succeeds, the user authentication is accepted.

Whenever SMS PASSCODE® authentication fails, behavior is controlled by the

Forward failed request setting.

ii. Checked (side-by-side workflow):

If a username is entered and no password is specified, or the password “sms” is

specified, then SMS PASSCODE® authentication is carried out in two steps. First a

challenge will ask for the Windows password, followed by another challenge that will

ask for the SMS passcode.

If an authentication request is received with a non-empty password different from

“sms”, then SMS PASSCODE® authentication fails immediately. The behavior is

then controlled by the Forward failed request setting.

Skip password validation for the following type of passwords:

i. Empty (default):

This setting has no effect.

ii. Non-empty (password filtering):

If you enter a regular expression into this field, SMS PASSCODE® will

check, on each authentication attempt, whether the regular expression

matches the password entered. When this is the case, SMS

PASSCODE® authentication will fail immediately, i.e. no Windows

authentication is performed by SMS PASSCODE®. The behavior is then controlled

by the Forward failed request setting.

If the regular expression does NOT match the password entered by the user, then

the Forward failed request setting is ignored. I.e. if SMS PASSCODE®

authentication fails (e.g. due to an incorrect password or passcode), then the

request will not be forwarded to another RADIUS system even though the setting

Forward failed request has been checked.

d. Password validation

By default, SMS PASSCODE® will validate user passwords using the WinNT provider (i.e.

validating the user’s Windows password). This will work for both AD users and local Windows

users created on the RADIUS server. You can select Custom LDAP if you wish to validate

user passwords against some specific LDAP attribute in the AD instead. Please specify the

name of an existing LDAP attribute in the AD in this case. Custom LDAP validation will only

work for AD users.



e. Default domains

The Default domains setting is useful if you need to authenticate users from different

domains, but do not wish to force the users to enter or select the domain explicitly during

authentication.

In case SMS PASSCODE® RADIUS protection is authenticating a user with a user name that

explicitly contains a domain using SAM (domain\username) or UPN format

(username@domain), then the user is always authenticated in the domain specified.

If no domain is specified explicitly, then SMS PASSCODE® RADIUS protection will

try to authenticate the user using the list of domains specified in the Default

domains setting. Authentication is attempted according to the prioritized order of

the domains in the list. Please note, that you can also specify the name of the

RADIUS server itself in the list. This entry will cause the RADIUS server to authenticate the

user as a local Windows user on the RADIUS server itself.

Eventually, if authentication fails in all the specified domains or if the Default domains setting

list is empty, SMS PASSCODE® RADIUS protection will always make a last attempt to

authenticate the user in the local domain, i.e. the domain that the RADIUS server is a member

of. If the RADIUS server is a standalone server, then this last authentication attempt is

performed using the local Windows user storage.

f. Skip password validation

This setting allows adding a list of RADIUS clients for which password validation should be

skipped completely by SMS PASSCODE® RADIUS protection. I.e. if an authentication request

is received from any RADIUS client in this list, then a SMS PASSCODE will be send to the

user without validating the user password at all.

WARNING:

Use this setting with great caution. It is only recommended to skip password validation for

RADIUS clients that will check the user password by themselves, before the RADIUS

request is send to the RADIUS server.

12.4.3.2 RADIUS Authorization Settings

When a user has been authenticated successfully by SMS PASSCODE® RADIUS protection, a

RADIUS accept package is returned to the RADIUS client. This package does NOT contain any

authorization information by default.

However, if your RADIUS client supports authorization, you can enable the authorization feature of

the SMS PASSCODE® RADIUS protection component. When authorization is enabled, SMS

PASSCODE® RADIUS protection will automatically determine the names of all AD groups that the

authenticated user is a member of. All or some of these group names are then added to the

RADIUS authorization attribute and send along with the RADIUS accept message to the RADIUS

client. The RADIUS client can subsequently retrieve all these group names from the attribute and

allocate permissions depending on the AD group memberships of the user. It is even possible to

apply transformations to the AD group names if the RADIUS client expects specific group names

that you do not wish to create in your AD.



Authorization is configured on the Authorization tab on the RADIUS Client Protection tab:




a. Enable authorization

This is the main setting to enable or disable authorization.

i. Unchecked (default):

Authorization is disabled, i.e. no authorization attribute is included in any RADIUS accept

package.

ii. Checked:

Authorization is enabled, i.e. each RADIUS accept package will contain an authorization

attribute. The properties and content of the authorization attribute are defined using the

settings below.

b. Authorization attribute properties

This group of settings defines the main characteristics of the authorization attribute. The

default settings are the settings expected by a Citrix Access Gateway with default settings.

Max size of attribute: Defines the maximum allowed size of the content of the authorization

attribute in multiples of 249 bytes. I.e. a value of 4 (the default value) means 4 x 249 = 996

bytes. The content of the authorization attribute will be cut off if it exceeds the specified

maximum size.

Vendor code: Use this setting to specify a vendor code in case your RADIUS client expects a

specific vendor code in the authorization attribute.

Attribute number: Use this setting to specify an attribute number in case your RADIUS client

expects a specific attribute number in the authorization attribute.

Prefix/Separator: The content of the authorization attribute will have a format like this:

[Prefix][Group1][Separator][Group2][Separator]….[GroupN][Separator]

Where [Group1], [Group2],…,[GroupN] are the names of the AD groups that the authenticated

user is a member of, and [Prefix] and [Separator] contain customizable content to be

configured using the settings Prefix and Separator, respectively. E.g. if you set Prefix to

“CTXSUserGroups=” and Separator to “;” and the user is a member of 3 groups called

“OwaAccess”, “CitrixAccess” and “SharePointAccess”, then the content of the authorization

attribute will be like this:

CTXSUserGroups=OwaAccess;CitrixAccess;SharePointAccess;

c. Active Directory resolve provider

This setting defines whether the Global catalog or LDAP should be used for

retrieving the AD groups that the authenticating user is a member of. Please note,

that only direct group memberships are retrieved.

When using Global catalog, a single GC server will be contacted. When using LDAP, all

necessary domain controllers that are available will be contacted even including child domains

and trusted domains.



d. Restrict groups collected into the authorization attribute

SMS PASSCODE® RADIUS protection will collect all direct group memberships by default and

put the names of the groups into the authorization attribute. If your users have a lot of group

memberships, the total length of the group names might exceed the maximum size of the

RADIUS attribute, which will cause some of the group names to be cut off. Since you cannot

predict which groups will be cut off, it might be better to select a restricted number of group

names that you will actually need in your authorization attribute. This is just what the setting

Restrict groups collected into the authorization attribute allows you to define.

You can add a number of group names to the list which will cause SMS PASSCODE®

RADIUS protection to only collect group names from this list into the authorization attribute.

Group name transformation: When entering group names into the restriction list,

you may enter the group names in a special format to perform transformation of the

group names. The syntax is:

[AD Group Name];[RADIUS Client Group Name]

For example, if you have an AD group called “Sales People” and you would like to report the

group “OwaAccess” to the RADIUS Client in this case, then you should add the following entry

to the restriction list:

Sales People;OwaAccess

Only collect first matching group: If you check this setting, then SMS PASSCODE®

RADIUS protection will at most put one single group name into the authorization attribute. This

will be the first group in the restriction list that the authenticated user is a member of.

Restricting to a single group is useful if your RADIUS client will only accept a single value in

the authorization attribute.



12.4.3.3 Miscellaneous RADIUS settings

The remaining RADIUS settings are collected on the Miscellaneous tab on the RADIUS Client

Protection tab:




a. Text settings

Code Page used for encoding: This settings specifies the Windows Code Page used for

encoding input texts, i.e. user names, passwords and passcodes.

Custom challenge message: By default SMS PASSCODE® RADIUS protection will send the

message “Please enter SMS PASSCODE” when the user should enter the SMS PASSCODE

on the RADIUS challenge. Using this setting you can change this message to a different text.

This is useful for localization of the message or in case your RADIUS client will only accept

specific text(s) in the RADIUS challenge.

b. Only apply SMS PASSCODE authentication to the following Connection Request

Policies

By default SMS PASSCODE® RADIUS protection will apply to all incoming RADIUS requests.

However, if you wish to apply SMS PASSCODE® authentication only to specific requests, you

have the option to restrict SMS PASSCODE® authentication to incoming requests matching

specific Connection Request Policies defined in the IAS/NPS manager.

IMPORTANT:

When creating Connection Request Policies for SMS PASSCODE® authentication, you

should assign the option “Accept Users without validating credentials” to them (cf. section

12.4.1/12.4.2).

c. Forced Challenge Response Clients / Clients not supporting challenge packets

SMS PASSCODE® RADIUS protection supports both RADIUS clients that support or do not

support challenge/response. When the first request is received from a RADIUS client after the

IAS/NPS service has started, the IAS/NPS service will auto-detect whether the RADIUS client

supports challenge/response or not. If the client does not support challenge/response, then

SMS PASSCODE® authentication is performed in two steps, first validating the user password

in a first RADIUS authentication and then validating the SMS PASSCODE in a second

RADIUS authentication. This means a non-session-specific two-factor authentication is

performed, opposite to a challenge/response two-factor authentication, which will always be

session-specific.

If you do not wish to allow the auto-detection mechanism described above, you can enter the

host names or IP addresses of RADIUS clients either into the Forced Challenge Response

Clients list or into the Clients not supporting challenge packets list. RADIUS clients in

these two lists will be forced to always or never use challenge/response, respectively.

d. Do not send the state attribute to the following clients

According to the RADIUS RFC, all RADIUS challenge packets should contain a state attribute

(which is a session identifier). However, some RADIUS clients seem not to support this state

attribute. In this case, you can add the host name or IP address of the RADIUS client to the

Do not send the state attribute to the following clients list which will force SMS

PASSCODE® protection not to insert the state attribute. This is not recommended unless it is

really required.



12.4.4 RADIUS Forwarding

This section describes how you can configure RADIUS forwarding when you enable the Forward

failed request option on the Authentication tab.

Configuring RADIUS forwarding on a Windows Server 2003 (IAS) to another RADIUS

server: Please read section 12.4.4.1 (page 183).

Configuring RADIUS forwarding on a Windows Server 2008 (NPS) to another RADIUS

server: Please read section 12.4.4.2 (page 190).

Configuring RADIUS forwarding to another IAS/NPS extension on the same server.

Please read section 12.4.4.3 (page 197).

12.4.4.1 Forwarding to another Radius Server (Windows Server 2003)

This section describes how to configure forwarding of RADIUS authentication requests to another

RADIUS server when using IAS (Windows Server 2003). To achieve this, you have to create:

A Remote RADIUS Server Group that defines the RADIUS server(s) to receive the

forwarded authentication requests.

A Connection Request Policy defining the condition(s) for forwarding requests to

the remote RADIUS Server Group.

You can even create multiple Remote RADIUS Server Groups and multiple Connection Request

Policies – in this case the Connection Request Policies can define different conditions for

forwarding to different RADIUS servers.

The procedure for creating a Remote RADIUS Server Group and a Connection Request Policy

is:

1. First, you need to create a group of remote RADIUS severs. To do this: In the IAS

Management Console, right-click the Remote RADIUS Server Groups node and select

New Remote RADIUS Server Group.



2. The New Remote RADIUS Server Group Wizard dialog appears. Click Next and add one

or more RADIUS servers to this group using the wizard.

3. When the last page of the Wizard is reached: Leave the check box checked and click on

Finish:



4. The New Connection Request Policy Wizard dialog appears. Click Next.

5. New fields appear in the New Connection Request Policy Wizard dialog. Set up a

custom policy.

a. Select A custom policy.

b. Enter a name for the policy, e.g. Forward requests.

c. Click Next.




7. First, you should define when forwarding occurs:


b. Click Add…




d. Click OK.

8. If other conditions should be applied for this policy, click Add… and select other conditions. This could for example be useful if you plan to have multiple forwarding policies that should forward to different RADIUS servers depending on different conditions. Click Next when you have finished adding your conditions of choice.



9. Now we need to define which servers authentication requests should be forwarded to. Click Edit Profile…

a. Select Forwarding requests to the following remote RADIUS server group for

authentication.

b. Select the RADIUS Server Group that you created earlier (in step 2).

c. Click OK.



10. Click Next.

11. Click Finish.

You have now successfully setup authentication forwarding. Please remember to test all

authentication systems thoroughly – test both, successful and failure authentication attempts.



12.4.4.2 Forwarding to another Radius Server (Windows Server 2008)

This section describes how to configure forwarding of RADIUS authentication requests to another

RADIUS server, when using NPS (Windows Server 2008). To achieve this, you have to create:

A Remote RADIUS Server Group that defines the RADIUS server(s) to receive the

forwarded authentication requests.

A Connection Request Policy defining the condition(s) for forwarding requests to

the remote RADIUS Server Group.

You can even create multiple Remote RADIUS Server Groups and multiple Connection Request

Policies – in this case the Connection Request Policies can define different conditions for

forwarding to different RADIUS servers.

The procedure for creating a Remote RADIUS Server Group and a Connection Request Policy

is:

1. First you need to create a group of remote RADIUS severs. To do this: In the NPS

Management Console, right-click the Remote RADIUS Server Groups node and select

New.



2. The New Remote RADIUS Server Group dialog appears. Add one or more RADIUS

servers to this group, and afterwards click OK to create the group.

3. When the Remote RADIUS Server Group has been created successfully, create a new

Connection Request Policy. To do so, right-click the Connection Request Policies node

and select New.



4. The New Connection Request Policy dialog appears..

a. Enter a name for the policy, e.g. Forward Requests.

b. Select Type of network access server.

c. Click Next.



5. Now you should specify the conditions that define when this policy is used. Click Add…



6. First you should define when forwarding occurs:


b. Click Add…


d. Click OK.



7. If other conditions should be applied for this policy, click Add… and select other conditions. This could for example be useful, if you plan to have multiple forwarding policies that should forward to different RADIUS servers depending on different conditions. Click Next when you have finished adding your conditions of choice.



8. Now we need to define, which servers authentication requests should be forwarded to. a. Select Forward requests to the following remote RADIUS server group for

authentication.

b. Select the RADIUS Server Group that you created earlier (in step 2).

c. Click Next.

9. Click Next again.



10. Click Finish.

You have now successfully setup authentication forwarding. Please remember to test all

authentication systems thoroughly – test both, successful and failure authentication attempts.

12.4.4.3 Forwarding to Another IAS/NPS Extension

If the SMS PASSCODE® RADIUS Protection component is installed on an IAS/NPS server and

another IAS/NPS extension was already installed on the system, SMS PASSCODE® will

automatically forward authentication requests to the other extension as soon as forwarding is

enabled.

When multiple IAS/NPS extensions are installed on the same server, the SMS PASSCODE®

IAS/NPS extension should always be the last one installed.



12.5 Configuring ISA/TMG Web Site Protection

The SMS PASSCODE® ISA/TMG Web Site Protection component allows you to apply

SMS PASSCODE® authentication to web sites that have been published through a

Microsoft ISA Server 2006 or Microsoft Forefront TMG 2010.

The following requirements must be fulfilled to apply SMS PASSCODE® ISA/TMG Web Site

Protection to a web site successfully:

The web site has to be published using a Web Listener.

The Web Listener used must be configured like this:

i. Client Authentication Method = HTML Form Authentication.

ii. Authentication Validation Method = Windows (Active Directory), LDAP

(Active Directory) or RADIUS.

iii. A Cookie Name must be specified for the Form Authentication.

iv. SMS PASSCODE® authentication must be enabled.

The necessary actions to apply SMS PASSCODE® ISA/TMG Web Site Protection to a web site

are described in more detail below:

1. Open the ISA/TMG Management Console.

2. Create a new Web Site Publishing Rule to publish your web site through the ISA/TMG

Server (if this has not been done yet).

3. Open the Properties dialog for the Web Listener assigned to the Web Site Publishing Rule.



4. Select the Authentication tab and ensure that

a. The Client Authentication Method is set to HTML Form Authentication

b. The Authentication Validation Method is set to either Windows (Active

Directory), LDAP (Active Directory) or RADIUS.

(It is not of importance whether the SMS PASSCODE tab is displayed or not in your case)



5. Select the Forms tab and click the Advanced… button:

6. On the Advanced Form Options tab, enter a Cookie Name of your own choice and then

click OK.

7. Save the new Web Listener settings and apply the changes to the ISA/TMG server

configuration.



8. Ensure that the published web site is accessible (from the external network) with standard

authentication (i.e. without SMS PASSCODE® authentication).

9. Now enable SMS PASSCODE® ISA/TMG Web Site Protection. To do this, open the Web

Listener Properties dialog again. It is mandatory this time that the Properties dialog is

opened through the Toolbox of the ISA/TMG Management Console17:

IMPORTANT:

Always access the Properties dialog of a Web Listener through the ISA/TMG Toolbox when you

want to enable or disable SMS PASSCODE® authentication for a Web Listener.

The SMS PASSCODE tab will only appear if the Properties tab is accessed in this way.

17

This is required, because the ISA/TMG Management Console does not show custom tabs on the Properties dialog of a Web Listener if this dialog is opened from a Web Publishing Rule.



10. Select the SMS PASSCODE tab.

a. Ensure that the SMS Passcode Compatibility text box shows the text “Ok”. This

should be the case if all the preceding steps have been completed properly. If not,

then the text box will contain a message describing which actions are missing.

b. Check the Enable SMSPASSCODE authentication for the listener option.

c. Click the OK button

11. Apply the changes to the ISA/TMG server configuration.

12. Now check that the published web site is accessible (from the external network) with SMS


This completes the procedure for applying SMS PASSCODE® authentication to a web site

published through an ISA/TMG server.



12.6 Configuring IIS Web Site Protection

If you have installed the optional IIS Web Site Protection component on a server hosting

Microsoft Outlook Web Access (OWA) or Microsoft RD Web Access, you will normally enable

protection of the OWA or RD Web Access site during installation and will not have to make any

further configuration changes afterwards. However, you may decide to perform further

configuration of the IIS Web Site Protection component in the following cases:

a. If a new web site is added to the IIS, then access to this site will by default be

disallowed by the SMS PASSCODE® IIS Web Site Protection component. In this

case you have to refresh the IIS Web Site Protection configuration file to allow

access to this web site.

b. If you wish to protect other web sites than OWA or RD Web Access by SMS

PASSCODE® authentication, then you have to enable this manually. Please note,

that the SMS PASSCODE® IIS Web Site Protection component currently only

supports protection of OWA sites, RD Web Access sites and web sites using Basic

or Integrated Windows Authentication.

c. If you wish to disable SMS PASSCODE® authentication for specific web sites, then

you can do this manually.

d. The SMS PASSCODE® IIS Web Site Protection component also offers advanced

configuration options. E.g. it is possible to configure authentication rules depending

on e.g. the clients’ source IP-addresses.

12.6.1 ISAPI Filter

The SMS PASSCODE® IIS Web Site Protection component is implemented using an ISAPI filter.

This ISAPI filter is added to the IIS running on the server and extends the behavior of the IIS.

The default path of the ISAPI filter is:

C:\Program Files\SMS PASSCODE\ISAPI\SMSPasscodeISAPIFilter.dll

12.6.2 ISAPI Filter Configuration File

The behavior of the ISAPI filter is controlled by a XML configuration file. The default path of this

configuration file is:

C:\Program Files\SMS PASSCODE\ISAPI\Config.xml

You can control the behavior of the ISAPI filter by making changes to this configuration file. The

most common configuration changes are made easiest using the command line tool called

IsapiAdmin. This tool is by default located here:

C:\Program Files\SMS PASSCODE\ISAPI\IsapiAdmin.exe

The syntax and usage of the IsapiAdmin tool is described in section 12.6.3 below.

Another way to change the configuration file is by making changes to this file manually using a text

editor (e.g. Notepad). This allows for more advanced configuration changes. The syntax of the

configuration file is described in detail in section 12.6.4.



IMPORTANT:

Whenever changes are made to the ISAPI filter configuration file using the IsapiAdmin tool, these

changes take effect immediately.

Whenever changes are made to the ISAPI filter configuration file manually, these changes do not

take effect until the SMS PASSCODE ISAPI Service has been restarted.

12.6.3 The IsapiAdmin Tool

The default path of the command line tool IsapiAdmin is:

C:\Program Files\SMS PASSCODE\ISAPI\IsapiAdmin.exe

This tool has four main features:

a. Enable SMS PASSCODE® authentication for a specific web site on the local IIS.

b. Disable SMS PASSCODE® authentication for a specific web site on the local IIS.

c. Refresh the ISAPI filter configuration file, allowing access to all newly added web

sites on the local IIS.

d. List the web sites on the local IIS.

The following sub-sections describe the syntax of the IsapiAdmin tool.

12.6.3.1 Enable Protection of a Web Site

To enable SMS PASSCODE® authentication for a specific web site, use the -protect option in

one of the following two ways:

IsapiAdmin -protect -name “Web Site Name”

[-DirName “Virtual Dir Name”]

[-owa [-allowActiveSync] [-allowRpcOverHttps] | -rdweb]

- or -

IsapiAdmin -protect -siteID “Web Site ID”

[-DirName “Virtual Dir Name”]

[-owa [-allowActiveSync] [-allowRpcOverHttps] | -rdweb]



The different arguments of the command are described in the table below.

Argument Description

-protect This argument instructs the tool to protect a web site.

-name This argument is used to specify the name of the web site to protect. Example:

IsapiAdmin -protect -name “Default Web Site”

-siteID This argument is used to specify the ID of the web site to protect. The default web site always has ID 1. Example: IsapiAdmin -protect -siteID 1

Use IsapiAdmin –list to get a list of the IDs of the different web sites

(described in section 12.6.3.4, page 207).

-DirName

(optional) This optional argument is used to specify the name of the virtual directory that is created within the web site that is being protected. This virtual directory contains files needed by the ISAPI filter. If the argument is not present, the default name SmsPasscodeLogon is used. Example: IsapiAdmin -protect -name “Default Web Site” -DirName “MyName"

-owa

(optional) This argument is required if the web site is an OWA Web Site using form- based authentication. For web sites using Basic or Integrated Windows Authentication, please omit this argument.

-allowActiveSync

(optional) This argument is only allowed together with the -owa argument. It instructs

the ISAPI filter to disable SMS PASSCODE® authentication for ActiveSync

connections.

-allowRpcOverHttps

(optional) This argument is only allowed together with the -owa argument. It instructs

the ISAPI filter to disable SMS PASSCODE® authentication for RPC over

HTTP/HTTPS connections.

-rdweb This argument is required if the web site is an RD Web Access site using form-based authentication. For web sites using Basic or Integrated Windows Authentication, please omit this argument.

Examples:

Enable SMS PASSCODE® authentication for an OWA site using form-based authentication,

allow ActiveSync, disallow RPC over HTTP/HTTPS connections: IsapiAdmin -protect –name “Default Web Site” -owa -allowActiveSync

...or since the Default Web Site always has ID 1, you could also enter:

IsapiAdmin -protect –siteID 1 -owa -allowActiveSync



Enable SMS PASSCODE® authentication for the SMS PASSCODE® Web Administration

Interface: IsapiAdmin –protect –name “SMS PASSCODE Admin”

Enable SMS PASSCODE® authentication for an OWA site using Basic or Integrated

Windows Authentication: IsapiAdmin –protect –name “Default Web Site”

12.6.3.2 Disable Protection of a Web Site

To disable SMS PASSCODE® authentication for a specific web site, use the

-unprotect option in one of the following two ways:

IsapiAdmin -unprotect -name “Web Site Name”

- or -

IsapiAdmin -unprotect -siteID “Web Site ID”

The different arguments of the command are described in the table below.


-unprotect This argument instructs the tool to disable protection of a web site.

-name This argument is used to specify the name of the web site to unprotect. Example:

IsapiAdmin –unprotect –name “Default Web Site”

-siteID This argument is used to specify the ID of the web site to unprotect. The default web site always has ID 1. Example: IsapiAdmin –unprotect –siteID 1

Use IsapiAdmin –list to get a list of the IDs of the different web sites

(described in section 12.6.3.4, page 207).

Examples:

Disable SMS PASSCODE® authentication for an OWA site: IsapiAdmin –unprotect –name “Default Web Site”

...or since the Default Web Site always has ID 1, you could also enter:

IsapiAdmin –unprotect –siteID 1

Disable SMS PASSCODE® authentication for the SMS PASSCODE® Web Administration

Interface: IsapiAdmin –unprotect –name “SMS PASSCODE Admin”



12.6.3.3 Refresh the Configuration File

The ISAPI filter configuration file specifies, for each web site, whether SMS PASSCODE®

authentication is enabled or disabled. However, if a new web site is added to the local IIS, and this

web site is not listed in the ISAPI filter Configuration file, then the ISAPI filter will disallow access to

this site. If you try to access the web site, then you will see the following error message:

To allow access to the web site, you must either enable or disable SMS PASSCODE®

authentication as described above in section 12.6.3.1 or 12.6.3.2, respectively. Another possibility

is to use the “refresh” option using the following syntax:

IsapiAdmin –refresh

Executing this command will automatically detect all web sites present in the local IIS and add all

missing web sites to the ISAPI filter configuration file. All missing web sites are added with SMS

PASSCODE® authentication disabled.

12.6.3.4 List ID of Web Sites

The IsapiAdmin command line tool also has a feature for showing a list of all web sites present in

the local IIS. This list displays the name and ID of each site. The syntax for showing the list of web

sites is:

IsapiAdmin –list



12.6.4 ISAPI Filter Configuration File Syntax

The configuration of the ISAPI filter is stored in a XML configuration file. The default path of this file

is:

C:\Program Files\SMS PASSCODE\ISAPI\Config.xml

The following subsections describe the anatomy (syntax) of this file in detail.

IMPORTANT:

Whenever changes are made to the ISAPI filter configuration file manually, these changes do not

take effect until the SMS PASSCODE ISAPI Service has been restarted.

12.6.4.1 <CONFIG> Element

At the top level, the configuration file contains one <CONFIG> element, which again contains one

or more <SITE> elements.

<CONFIG>

<SITE />

...

<SITE />

</CONFIG>

The configuration file must contain a <SITE> element for each web site in the local IIS.

12.6.4.2 <SITE> Element

Each site element of the configuration file contains the settings for a specific web site in the local

IIS:

<SITE name=”Web Site Name” smspasscodedir=”virtual dir name” >

<URL />

...

<URL />

</SITE>

Each SITE element contains the following attributes:

name: Specifies the name of the web site that is configured by this <SITE> element.

smspasscodedir: Specifies the URL of the virtual directory containing the files that are

needed by the SMS PASSCODE® ISAPI filter during SMS PASSCODE® authentication.

Recommended value is ”/SmsPasscodeLogon/”. It is recommended to enable SMS

PASSCODE® authentication for a web site using the IsapiAdmin tool because this tool will

automatically create the required virtual directory and configure it correctly (please read

section 12.6.3.1, page 204).



SMS PASSCODE® authentication is enabled by default for each web site that is named by a SITE

element. However, each SITE element may contain one or more <URL> elements that configure

authentication behavior of the web site.

12.6.4.3 <URL> Element

The <URL> elements within a <SITE> element define the authentication behavior of the web site.

The syntax is:

<URL path=”URL path” smspasscode=”true|false” type=”authentication

type” credentials=”credentials source” >

<HOST />

...

<HOST />

</URL>

Each <URL> element contains the following attributes:

path: Specifies the URL that this element applies to. Please note, that the configuration of

this element applies to all sub-URLs as well, unless these are overruled by another, more

specific <URL> element.

smspasscode: Boolean attribute defining whether SMS PASSCODE® authentication

should be enabled (smspasscode=”true”) or disabled (smspasscode=”false”) for the

specified URL.

type / credentials: These are optional attributes. These attributes should not be

specified for web sites or virtual directories that are using Basic or Integrated Windows

Authentication.

For OWA sites using form-based authentication, type=”FormAuthentication” and

credentials=”OWA” should be specified for the following virtual directories:

o /exchange

o /exchweb

o /owa

For RD Web Access sites using form-based authentication,

type=”FormAuthentication” and credentials=”rdweb” should be specified for the

following virtual directories:

o /rdweb

Normally, you will not set the attributes type and credentials manually. Use the tool

IsapiAdmin with the -owa or -rdweb option to protect an OWA site or RD Web access site,

respectively (please read section 12.6.3.1, page 204).

12.6.4.4 <HOST> Element

Each <URL> element may contain one or more <HOST> elements. Using a <HOST> element you

can override the configuration of the parent <URL> element depending on the client’s source IP

address. The syntax is:

<HOST ip=”x.x.x.x” smspasscode=”true|false” />



I.e. each <HOST> element contains the following attributes:

ip: Specifies the source IP address of the client(s) that this element applies to. Wildcards

are allowed, e.g. ip=”192.168.*”. Also, you may specify ip=”localhost”; in this case the

element applies to all requests from the local host, no matter if the requests are coming

from IP address 127.0.0.1 or from any other locally assigned IP address.

smspasscode: Boolean attribute defining whether SMS PASSCODE® authentication

should be enabled (smspasscode=”true”) or disabled (smspasscode=”false”) for the

specified client(s).

12.6.4.5 Configuration Examples

This section shows different examples for configuring web sites:

Enable SMS PASSCODE® authentication for the default web site:

<CONFIG>

<SITE name=”Default Web Site” smspasscodedir=”/SmsPasscodeLogon/” >

<URL path=”/” smspasscode=”true” />

<URL path=”/SmsPasscodeLogon” smspasscode=”false” />

</SITE>

</CONFIG>

Disable SMS PASSCODE® authentication for the default web site:

<CONFIG>


<URL path=”/” smspasscode=”false” />

</SITE>

</CONFIG>

Enable SMS PASSCODE® authentication for the default web site, but only for the URL’s

starting with “/secure”:

<CONFIG>



<URL path=”/secure” smspasscode=”true” />

</SITE>

</CONFIG>

Enable SMS PASSCODE® authentication for the default web site, but not for clients

requesting from IP addresses 192.168.*:

<CONFIG>


<URL path=”/” smspasscode=”true”>

<HOST ip=”192.168.*” smspasscode=”false” />

</URL>

</SITE>

</CONFIG>



Enable SMS PASSCODE® authentication for an OWA site using form-based authentication:

<CONFIG>



<URL path=”/exchange” smspasscode=”true”

type=”FormAuthentication” credentials=”OWA” />

<URL path=”/exchweb” smspasscode=”true”


<URL path=”/OWA” smspasscode=”true”


<URL path=”/rpc” smspasscode=”true” >

<host ip=”localhost” smspasscode=”false” >

</URL >

</SITE>

</CONFIG>



12.7 Configuring Windows Logon Protection

If you have installed the optional SMS PASSCODE® Windows Logon Protection component, you

will normally not have to perform any further configuration of this.

The Windows Logon Protection component is implemented by means of a custom GINA for

Windows XP and Windows Server 2003, and by means of a custom Credential Provider for

Windows Vista, Windows 7 and Windows Server 2008 (R2).

IMPORTANT (Windows XP / Windows Server 2003)

When installing the Windows Logon Protection component on Windows XP or Windows Server

2003, please remember to restart the computer after installation. The new GINA will not work

correctly before the system has been rebooted.

Ensure that all necessary SMS PASSCODE® users have been created BEFORE the system

is rebooted. If the system is rebooted before any SMS PASSCODE® users have been

created, only local administrators will be able to log on, and only locally using the console –

not using remote access by RDP!

12.7.1 Windows Logon User Exclusion Groups

You may optionally configure users who should be excluded from SMS PASSCODE®

authentication during Windows Logon. To support this, two local18 user groups have been created

on the computer during installation:

SMS PASSCODE console exclusion: All users being member of this group are subject to the

following rules:

o They must authenticate using SMS PASSCODE® when they log on to the computer using

Terminal Service (RDP).

o They will not authenticate using SMS PASSCODE® when they log on locally using the

console. I.e. only user name and Windows password is required to log on in this case.

SMS PASSCODE general exclusion: All users being member of this group will log on to the

computer without SMS PASSCODE® authentication – whether they log on using Terminal

Service (RDP) or locally using the console.

By default, all users being member of the local Administrators group are automatically added

during installation to the SMS PASSCODE console exclusion group. This ensures that local

administrators will always be able to log on using the local console.

18

The groups are created as AD groups when the SMS PASSCODE® GINA component is installed on a

Domain Controller. Still, the groups only have effect on Windows Logon on the local computer.



12.7.2 Windows Logon Lock Time

By default, SMS PASSCODE® authentication is activated on every Windows Logon and also every

time the user’s session has been locked and the user wishes to unlock it. You can change this

behavior if you do not wish the SMS PASSCODE® authentication to become active immediately

whenever the user’s session has been locked.

To do this, start the SMS PASSCODE® Configuration Tool from the Windows Start Menu…

…and select the Windows Logon Protection tab, where you can configure the time to pass after

a session has been locked, before SMS PASSCODE® authentication is required.

A value of 0 will provide the default behavior, i.e. SMS PASSCODE® authentication is required

whenever a locked session is unlocked. If you select a value of e.g. 5, then the SMS PASSCODE®

authentication will not become active until 5 minutes after the user’s session was locked. If the user

tries to unlock his session before 5 minutes have passed, the user is allowed to unlock the session

using user name and Windows password only – i.e. without entering a passcode.



IMPORTANT (Windows XP / Windows Server 2003)

Windows XP and Windows Server 2003 only:

Whenever you change the Locked session re-authentication timeout setting, the new value

does not take effect until the computer has been restarted.

12.7.3 RDP Listener Exclusion

Whenever you log on to a Windows session on a Windows machine, your session is

established through a specific WinStation. The most common WinStations are

Console and Rdp-Tcp. The Console WinStation is used when logging on using the

local console, whereas the Rdp-Tcp WinStation is used when logging on using an RDP

connection (tcp port 3389 by default). The Rdp-Tcp Winstation is also called an RDP Listener.

You can see which WinStation has been used to establish each session on a machine by

inspecting the Users tab in the Task Manager. Each session will be named using the name of the

corresponding WinStation.

By default, when SMS PASSCODE® Windows Logon Protection has been installed on a

computer, all Windows sessions will be protected using SMS PASSCODE® authentication, unless

SMS PASSCODE® authentication is skipped due to the rules of exclusion groups (cf. section

12.7.1, page 212).

However, it is also possible to disable SMS PASSCODE® Windows Logon Protection for

individual WinStations. E.g. you can disable Windows Logon Protection for the Console

WinStation to disable SMS PASSCODE® authentication for all local console logons, independent

of group exclusion membership; or you can disable Windows Logon Protection for individual

RDP Listeners, in case you have created some custom RDP Listeners by yourself.



WinStations / RDP Listeners exclusion is configured on the Windows Logon Protection tab of the

SMS PASSCODE® Configuration Tool:

12.7.3.1 Creating a custom RDP Listener

You can create new custom RDP Listeners on a Windows machine. Why would you like to do this?

It might, for example, be useful in the following scenario: A machine is accessible through RDP,

but you only want users to be authenticated by SMS PASSCODE® Windows Logon Protection

when users are logging on from the external network. When logging on from the internal LAN,

users should be allowed to log on using standard Windows authentication. This can be achieved

using the following setup:

On the target machine: Create a new RDP Listener and assign a non-standard RDP

port to this listener, e.g. port 4000.

Configure your firewall to allow access on port 4000 from the external network.

Configure your firewall to use Network-Address-Translation (NAT) regarding all

RDP requests on port 4000 from the external network. NAT should be configured to

transfer all RDP requests from port 3389 to port 4000. This means that all external

RDP requests will connect to the target machine using the new custom RDP

Listener.

Exclude the standard RDP Listener from SMS PASSCODE® Windows Logon

Protection.

Using this setup all users on the internal LAN can make a standard RDP connection (using TCP

port 3389) to the standard RDP Listener on the target machine and will be allowed to log in using

standard Windows authentication, because the standard RDP Listener has been excluded from

SMS PASSCODE® Windows Logon Protection. All external requests will hit the target machine

using the custom RDP Listener (on TCP port 4000), i.e. these users are required to perform SMS

PASSCODE® authentication to establish a Windows session on the target machine.

The scenario above is also possible without configuring NAT in the firewall. But in this case, the

external users will manually have to change the TCP port of the RDP connection to the TCP port of

the custom RDP Listener.



To create a custom RDP Listener, please follow this procedure:

1. Make a backup of your registry.

2. Open the registry using regedit.exe.

3. Locate the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Right-click the key and export it to a file.

4. Open the exported file. Change the name of the key “RDP-Tcp” to a new name of own

choice. This will be the name of the custom RDP Listener. Also change any other required

settings, e.g. PortNumber. Save the file.

5. Import the modified file into the registry. The registry will now contain a new key with the

name of the custom RDP Listener. This new key is located below the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations



12.7.4 Credential Provider Filtering

On Windows Vista, Windows 7 and Windows Server 2008 (R2), the SMS PASSCODE®

Windows Logon Protection component is implemented by means of a custom

Credential Provider. Please notice, that the SMS PASSCODE® installation will

automatically disable all other installed credential providers19 by default, restricting

users to log on only using SMS PASSCODE® authentication.

If you wish to allow users to log on using other installed Credential Providers, you can enable these

Credential providers on the Windows Logon Protection tab of the SMS PASSCODE®

Configuration Tool:

19

Actually the SMS PASSCODE® installation might leave some specific 3rd party credential providers

enabled that are known to co-exist with SMS PASSCODE® without disabling or conflicting with SMS

PASSCODE® authentication during the Windows Logon. The VMware Credential Provider installed on

VMware View 4.0 clients is an example of this.



12.7.5 GINA Chaining

On Windows XP and Windows Server 2003, the SMS PASSCODE® Windows Logon Protection

component is implemented by means of a custom GINA. The SMS PASSCODE® GINA supports

GINA chaining – i.e. you can install the SMS PASSCODE® GINA together with other 3rd party

GINAs on the same computer, thereby building a GINA chain.

It is very important to keep track of the order of installation and uninstallation of the different GINAs

when making use of GINA chaining. Please observe the following rules:

GINAs are activated in opposite order of installation. I.e. the GINA installed last will be the

GINA activated first when Windows Logon is requested.

GINA’s must always be uninstalled in opposite order of installation. I.e. the GINA installed last

must be uninstalled first. The GINA chain is broken if this rule is not observed.

All GINAs must support GINA chaining except the GINA installed first. The GINA chain is

broken if this rule is not observed

Please contact your SMS PASSCODE® reseller or SMS PASSCODE A/S if you would like to get

more information regarding GINA chaining.

12.8 Configuring CAGAE Protection

If you have installed the optional CAGAE Protection component, you will have to enable SMS

PASSCODE® authentication for each CAGAE logon point that requires SMS PASSCODE®

authentication. By default, no CAGAE Logon Points are protected by SMS PASSCODE®

authentication.

The following subsection describes the actions necessary to protect and unprotect a CAGAE logon

point using SMS PASSCODE®.

12.8.1 Protecting and Unprotecting Logon Points

SMS PASSCODE® includes a command-line tool called HttpModuleDeploy.exe. This tool is used

for enabling and disabling SMS PASSCODE® authentication for CAGAE logon points.

HttpModuleDeploy.exe is located in the subfolder HttpModule\CAG_Advanced of the SMS

PASSCODE® installation folder. The complete default path is:

C:\Program Files\SMS PASSCODE\HttpModule\CAG_Advanced

The syntax of the tool is:

Enable SMS PASSCODE® authentication for the logon point “logon point name”: HttpModuleDeploy install “logon point name”

Disable SMS PASSCODE® authentication for the logon point “logon point name”: HttpModuleDeploy uninstall “logon point name”



E.g. if you wish to enable SMS PASSCODE® authentication for the logon point

SampleLogonPoint, you should enter: HttpModuleDeploy install samplelogonpoint



If you afterwards wish to disable SMS PASSCODE® authentication for the logon point

SampleLogonPoint, you should enter: HttpModuleDeploy uninstall samplelogonpoint

IMPORTANT:

Whenever SMS PASSCODE® authentication is enabled or disabled for a CAGAE logon point,

please remember to refresh the logon page information for this logon point subsequently.

If this is not observed, the logon pages will not show correctly on the CAG appliance box.



To refresh the logon point page of a CAGAE logon point, please follow the instructions below:

1. Start the Citrix Access Management Console (using the Windows Start Menu):



2. Right-click the logon point that needs to be refreshed and select Refresh logon page

information:



12.8.2 Redundant CAGAE Setup

SMS PASSCODE® supports redundant CAGAE setups, i.e. setups with multiple servers running

the Citrix Advanced Access Control (AAC) software.

When using the Citrix Access Gateway appliance box version 4.6, it is recommended to clear the

“Load Balance initial Logon requests” setting in the Access Gateway Administration Tool:



Only if you do not wish to clear this setting or if you are using an earlier version of the Citrix Access

Gateway appliance box, then the following additional requirements must be fulfilled to support

redundant CAGAE setups:

When configuring a prioritized list of Transmitter services or Load Balancing

services using the SMS PASSCODE® Configuration Tool on each AAC server, use

the same type of services on all AAC servers and list the hosts in the same order on

all AAC servers.

All AAC servers must use the same session encryption keys. To achieve this,

please follow the procedure described below.



12.8.2.1 Distributing Identical Encryption Keys to AAC Servers

To distribute identical session encryption keys to multiple AAC servers, please follow the

procedure below:

1. On the first AAC server, generate a new encryption key and add it to the web.config file of

the Logon Point base folder:

a. Open a command prompt

b. Run the KeyGenerator command line tool (default path: "C:\Program Files\SMS

PASSCODE\HttpModule\CAG_Advanced\KeyGenerator.exe"). Specify the path of

the web.config file that the encryption keys should be added to, as the argument to

KeyGenerator. I.e. using default paths, the command should look like this:

KeyGenerator “C:\Inetpub\wwwroot\CitrixLogonPoint\Web.Config”

2. Now open the updated web.config file using Notepad and verify that the keys

Passcode.EncryptionKey and Passcode.EncryptionIV have been added to the

<appSettings> section:

3. Copy the two lines highlighted in the screen shot above to the clipboard, and insert them

into the <appSettings> section of the web.config file located in the Logon Point base folder

on all other AAC servers.

4. Now all AAC servers are using the same session encryption keys.



12.8.3 Uninstalling CAGAE Protection

If you wish to uninstall the CAGAE Protection component, you can either remove this component

only (cf. section 0) or uninstall SMS PASSCODE® completely.

In both cases, please remember to disable SMS PASSCODE® authentication for all CAGAE logon

points BEFORE uninstalling the CAGAE Protection component – i.e. you should run

HttpModuleDeploy uninstall on each logon point (cf. section 12.8.1) for which SMS

PASSCODE® authentication has been enabled.

12.9 Configuration Tool

The SMS PASSCODE® Configuration Tool is used to configure machine specific SMS

PASSCODE® settings. It is located in the Windows Start Menu:



When you start this tool, you will see a number of tabs:

The actual number of tabs shown depends on the current configuration and the components that

have been installed. The different tabs have the following purposes:

General:

This tab allows you to switch between Single Server Installation and Multi Server

Installation mode, e.g. if you need to upgrade a single server installation to a multi server

installation.

Database:

In a multi server installation setup, you can specify on this tab the server that the SMS

PASSCODE® database service is located on. This tab also contains a button Test

Connection which will perform a test whether the connection to the specified database

server operates properly.

SMS Transmission:

This tab appears in a multi server installation setup when a SMS PASSCODE®

authentication client has been installed. Using this tab, you can specify whether the

authentication client(s) on the local machine should communicate directly with SMS

PASSCODE® Transmitter hosts or with SMS PASSCODE® Load Balancing hosts. Also, the

priority is specified, i.e. in which order the authentication client(s) should attempt to

communicate with the specified hosts. This tab also contains a button Test Connection

which will perform a test whether the connections to the specified hosts operate properly.



Network:

This tab appears only in multi server installation setups. On this tab you can specify which

TCP ports should be used by the different SMS PASSCODE® components, and specify a

shared secret (password) that is used for encrypting all communication between the

different machines with SMS PASSCODE® components installed. Please ensure that the

TCP ports and shared secret are configured identically on all involved SMS PASSCODE®

machines. If this is not observed, communication between the machines will fail.

Windows Logon Protection:

This tab appears only when SMS PASSCODE® Windows Logon Protection

has been installed on the local machine. The tab allows configuring different

settings related to the Windows Logon Protection component. Please read

section 0 (page 212) for more details.

RADIUS Client Protection:

This tab appears only when SMS PASSCODE® RADIUS Protection has been

installed on the local server. The tab allows configuring different settings related

to the RADIUS Protection component. Please read section 12.4.3 (page 171)

for more details.

Import/Export:

This tab allows importing and exporting all settings configured in the SMS

PASSCODE® Configuration Tool. You can either export all settings to a text file

or import settings from a text file. This might be useful for backup purposes or for

transferring settings from one machine to another one. When exporting settings

that include a shared secret, you will be prompted to enter a password that is used for

protecting (encrypting) the shared secret in the text file. This password will be requested,

when you try to import the settings file. Please note, that it is possible to import and export

settings from the command line (e.g. from a batch file or login script). This is useful, if you

would like to mass-import SMS PASSCODE® settings to a large number of machines, e.g.

when protecting virtual machines like VMware View clients with SMS PASSCODE®

Windows Logon Protection, and you need to apply the same network settings including a

shared secret to all these clients. The syntax for importing and exporting settings is

described in the next section.



12.9.1 Command line arguments

The SMS PASSCODE® Configuration Tool can be started from a command line. The executable

is named Config.exe. It is located in the SMS PASSCODE® installation folder, which by default is:

C:\Program Files\SMS PASSCODE

When starting the Configuration Tool from a command line, you may specify some

optional arguments.

To export all current settings, use the following syntax:

Config.exe -export:”filename” [-password:”password”] [-quiet]

To import settings from a file, use this syntax:

Config.exe -import:”filename” [-password:”password”] [-quiet]

The command line arguments are described in the table below:


-export:”filename” This argument instructs the configuration tool to export all current settings to the file with the name filename. Please remember to use quotes if the filename contains spaces.

-import:”filename” This argument instructs the configuration tool to import settings from the file with the name filename. Please remember to use quotes if the filename contains spaces.

-password This optional argument specifies the password for encrypting and decrypting the shared secret during export and import, respectively. The password must contain at least 5 characters. This argument is only required if the exported/imported settings contain a shared secret.

-quiet This argument instructs the configuration tool to perform the requested action quietly, i.e. without any user interaction.



Examples:

Open the Configuration Tool and export all current settings to a file named

mySettings.xml. Encrypt the shared secret using the password 12345:

Config.exe -export:”mySettings.xml” -password:”12345”

Export all current settings to a file named mySettings.xml. Encrypt the shared secret using

the password 12345. Perform the action quietly, i.e. do not open the Configuration Tool:

Config.exe -export:”mySettings.xml” -password:”12345” –quiet

Open the Configuration Tool and import settings from a file named mySettings.xml.

Decrypt the shared secret using the password 12345:

Config.exe -import:”mySettings.xml” -password:”12345”

Please note, that this will import the settings to the Configuration Tool user interface without

actually saving them. I.e. you will have the chance to inspect all the imported settings

before clicking the Save button and applying the settings.

Import settings from a file named mySettings.xml. Decrypt the shared secret using the

password 12345. Perform the action quietly, i.e. do not open the Configuration Tool, but

instead apply all imported settings right away:

Config.exe -import:”mySettings.xml” -password:”12345” -quiet



13 ADD/REMOVE COMPONENTS

If you wish to add or remove some components from the SMS PASSCODE® installation, you can

always run the SMS PASSCODE® installation again – as often as you like. In this way you can add

or remove SMS PASSCODE® Authentication Clients.

You can also add or remove core components (Database Service, Web Administration

Interface, Transmitter Service, Load Balancing Service) in case of a Multi Server Installation.

To add/remove components, simply run the SMS PASSCODE® installation program again – just as

you would do during a first-time installation. You will notice that a different dialog is shown in this

case:

Please select Modify in this dialog and click the Next button. After this, follow the same procedure

as you did during first-time installation.



14 TROUBLESHOOTING

This section describes some common errors and the corresponding solutions:

No SMS is received during SMS PASSCODE® authentication:

Section 14.1 (page 232)

Error message “No mobile number for user” is shown during authentication:


Component communication problems in a multi server setup:


Active directory integration does not work as expected:


14.1 SMS Transmission Problems

In case of SMS Transmission issues, please always start with opening the Windows Event Viewer

and check the SMS PASSCODE Transmission event log (a) to verify whether any SMS was

send. Look for “Transmission events” (b). Also look, if any Initialization errors have occurred (c). In

case of any error or warning events, please inspect these events for details.



Problem Error message in the SMS PASSCODE Transmission event log

Possible reasons

SMS transmissions fail permanently

Error during initialization of SMS Modem (COMx): ERROR: SMS modem not ready. Or Error during initialization of SMS Modem (COMx): Device not found on COMx. Event ID: 292

No connection to the GSM modem due to:

GSM modem not powered on

GSM modem not connected to the COM port specified in the SMS PASSCODE setup

COM port is damaged

GSM modem is damaged


Error during initialization of SMS Modem (COMx): Port Open Failure Event ID: 292

No connection to the GSM modem due to:

A different application is using the COM port specified in the SMS PASSCODE setup

COM port is damaged

The specified COM port does not exist


Error during initialization of SMS Modem (COMx): ERROR: Could not register PIN code. Event ID: 292

Initialization of GSM Modem fails because an incorrect SIM PIN code has been entered. Please correct the PIN code in the SMS PASSCODE

® Web Administration interface.

SMS transmissions fail permanently or periodically

Error occured while trying to send SMS to +xxxxxxxx on COMx: ERROR (Fx): Unable to send SMS (Mobile: xxxxxxxx). Modem reply='xxxxxxx ERROR'. Event ID: 10000

This could be due to a deactivated SIM card or insufficient GSM coverage. To determine the exact reason, please power off the GSM Modem, pull out the SIM card and verify that it works (e.g. put it into a mobile phone and try to send a SMS). If the SIM card does not work in a mobile phone, then replace it with another SIM card. If it works fine in a mobile phone, then the problem is most probably due to insufficient GSM coverage. You can inspect the GSM signal strength on the Modem Monitoring page in the Web Administration Interface. In case of low signal strength, please try to move the GSM modem to a location with better GSM coverage or try a better antenna.

A specific user does not receive SMS, even though it is send correctly according to the event log

None The user’s mobile phone might not support flash SMS. Please try to disable flash SMS for this user (you can disable flash SMS for a specific user in the SMS PASSCODE

® Web

Administration interface).

14.2 Error message “No mobile number for user” During Authentication

This error message is shown during authentication, if a user, who has not been created as a SMS

PASSCODE® user, tries to authenticate. This might be due to different reasons:

1. The user has not been created:

o If users are created manually in the SMS PASSCODE® Web Administration interface,

please check if the user in question is in fact present in the user list.



o If users are created using AD Integration, please check if the user in question is in fact

present in the user list of the SMS PASSCODE® Web Administration interface. If the

user is not present, this is most probably due to one of the following reasons:

The user is not member of the SMS PASSCODE® user group in AD

- or -

No mobile phone number or an invalid mobile number has been entered on the

user’s account in AD

2. The authentication client is sending an incorrect domain name:

o If you have enabled AD Integration and are not using UPN names, then please

note, that SMS PASSCODE will add the NETBIOS domain name in front of all user

names. Therefore, authentication will fail if the authentication client prepends the

user name with a different domain name, e.g. the DNS domain name. Please

ensure for all authentication clients that are automatically adding a domain name,

that the NETBIOS domain name is added. If this is not possible, you could consider

changing the prepended domain name in the SMS PASSCODE® database using

Data Transformations (cf. section 0, page 149), or using the UPN format.

o The note above applies in particular to Citrix Web Interfaces. Please note during

configuration of Citrix Web Interfaces, when entering a fixed domain name or a list

of fixed domain names, that these must be NETBIOS domain names.

To check this, configure the authentication method “Explicit” of the Citrix Web

Interface. The following dialog box will appear. Click the button Settings…



A new dialog box appears. Check that the list of domain names contains only

NETBIOS domain names:



14.3 Component Communication Problems in a Multi Server Setup

If you are experiencing problems related to communication between components in a multi server

setup, please note the following requirements:

All machines must run the same version of SMS PASSCODE®.

All machines must be in the multi server mode to communicate with each other correctly. You

can verify this using the SMS PASSCODE® Configuration Tool and inspecting the General tab

on each machine:

If any machine is in the Single Server Installation mode, please switch to Multi Server

Installation mode and restart the machine.

The same shared secret must be entered on all machines.

The TCP ports used for communication must be open between the different machines (please

read section 8.1, page 28, for TCP port details). If any default TCP port is changed to a

different port number during installation, then this port change must be performed on all

involved machines.



Diagnosing component communication

If you wish to check whether the communication between different machines works correctly, you

can test the communication using the SMS PASSCODE® Configuration Tool. The tabs Database

and SMS Transmission contain Test Connection buttons for diagnosing component

communication.



14.4 Active Directory Integration does not Work as Expected

It is recommended to install the SMS PASSCODE® Database service on a domain member server

or a domain controller. Enabling Active Directory Integration is very easy in this case, cf. section

12.1.12.

If Active Directory Integration does not work, please use the button Test AD authentication on the

AD Integration page of the SMS PASSCODE® Web Administration interface and check the result:

Common problems regarding Active Directory Integration:

Error message “AD group xxx not found”: Please verify, that the group name is spelled

identically in the SMS PASSCODE® Web Administration interface and in the Active Directory.

Also, please ensure that the group has been replicated to the domain controller that SMS

PASSCODE® is connecting to.

A specific user is not synchronized to the SMS PASSCODE® Web Administration interface:

Please verify in AD that the user is a direct or indirect member of the SMS PASSCODE® AD

Group and that a valid mobile phone number has been entered on this user’s account.

No users are synchronized to the SMS PASSCODE® Web Administration interface when using

Global Catalog: Please ensure that the field containing the users’ mobile phone numbers is

replicated to the Global Catalog.



Confidential information

Please note that the information above is intended for SMS PASSCODE® customers and partners

only with the purpose of implementing and maintaining SMS PASSCODE®. Any other use needs to

be authorized by SMS PASSCODE A/S prior to disclosing information from this document.

sms passcode 4.0 - administrators guide - rev1.0

Documents

program filessms

program filessms

full authentication

citrix web

citrix web

intelligent

lost cell

failure authentication