Getting started
Features and benefits
What you can do with Defender
Managing Defender objects in Active Directory
Authenticating VPN users
Authenticating Web site users
Authenticating users of Windows-based computers
Deploying Defender
Step 1: Install required Defender components
Step 2: Configure Defender Security Server
Step 3: Create and configure objects in Active Directory
Step 4: Program and assign security tokens to users
Defender Setup Wizard reference
Defender Security Server Configuration tool reference
Communication ports
Upgrading Defender
Upgrading Defender Security Server and Administration Console
Upgrading Defender Management Portal
Upgrading Management Shell
Licensing
Managing user objects
Configuring security tokens
Managing tokens for a user
Resetting passphrase for a user
Managing Defender Security Policy for a user
Managing RADIUS payload for a user
Managing security token objects
Importing hardware token objects
Assigning a hardware token object to a user
Modifying token object properties
Import Wizard reference
Managing Defender Security Policies
Creating a Defender Security Policy object
Modifying Defender Security Policy object properties
Managing Access Nodes
Managing Defender Security Servers
Creating a RADIUS payload object
General tab
Account tab
Expiry tab
Logon Hours tab
SMS Token tab
E-mail Token tab
GrIDsure Token tab
Default Defender Security Policy
Configuring Defender Soft Token
Configuring GrIDsure token
Enabling the use of Authy
Enabling the use of Google Authenticator
Configuring SMS token
Configuring e-mail token
Configuring VIP credentials
Configuring YubiKey
Defender Token Programming Wizard reference
Securing VPN access
Configuring Defender for remote access
Configuration example
Securing Web sites
Securing Windows-based computers
Configuring your remote access device
Using Defender VPN Integrator
Defender EAP Agent
Step 1: Create an AAA server group, add Defender Security Server
Step 2: Configure an IPsec connection profile
Configuring Defender
Installing Defender Desktop Login by using a wizard
Performing an unattended installation of Defender Desktop Login
Configuring Defender Desktop Login by using a configuration tool
Configuring Defender Desktop Login by using Group Policy
Defender Desktop Login Configuration tool reference
Defender Management Portal (Web interface)
Installing the portal
Opening the portal
Specifying a service account for the portal
Configuring the portal
Portal roles
Enabling automatic sign-in
Configuring self-service for users
Troubleshooting authentication issues
Managing users
Managing security tokens
Viewing authentication statistics
Viewing Defender Security Server warnings and logs
Viewing token requests from users
Using Defender reports
Securing PAM-enabled services
Generating a report
Managing portal database
Defender Security Server log cache
Log Receiver Service database
Audit trail
Authentication requests
Authentication activity
Authentication violations
Defender Security Server configuration
License information
Proxied users
RADIUS payloads
Tokens
Active, inactive, and locked users
User details
Report scheduling settings
Viewing a generated report
Deleting generated reports
Viewing a list of scheduled reports
Deleting scheduled reports
Installing Defender PAM
Configuring Defender PAM
Delegating Defender roles, tasks, and functions
Step 1: Enable authentication for target service
Step 2: Specify Defender Security Servers
Step 3: Configure access control for users and services
Step 4: Configure Defender objects in Active Directory
Testing Defender PAM configuration
Defender PAM logging
Auth arguments
Steps to delegate roles, tasks, and functions
Roles
Service accounts
Advanced control
Full control
Using control access rights
Automating administrative tasks
Installing Defender Management Shell
Uninstalling Defender Management Shell
Opening Defender Management Shell
Getting help
Cmdlets provided by Defender Management Shell
Administrative templates
Installing administrative templates
Configuring administrative templates
Temporary Responses setting
Active Roles Web Interface - Token Programming setting
Mail Configuration setting
ADSI Configuration setting
Updating Administrative templates from .adm to .admx
Integration with Active Roles
Installing Defender Integration Pack for Active Roles
Commands added to the Active Roles Web Interface
Enabling additional features via Group Policy
Enabling automatic deletion of tokens
Delegating Defender roles or tasks
Upgrading Defender Integration Pack for Active Roles
Uninstalling Defender Integration Pack for Active Roles
Appendices
Appendix A: Enabling diagnostic logging
Administration Console
Defender Core Token Operations SDK (DTSDK)
Defender Security Server
Desktop Login
EAP Agent
Integration Pack for Active Roles
Management Portal
Management Portal (reports)
Management Shell
Service Connection Point
Soft Token for Windows
Token Import
Token Programming
VPN Integrator
Web Service API
Product information tool
Appendix B: Troubleshooting common authentication issues
Step 1: Gather required information
Step 2: Analyze Defender Security Server log
Step 3: Gather further diagnostics
Appendix C: Troubleshooting DIGIPASS token issues
Step 1: Determine type of failure
Step 2: Verify Defender configuration
Step 3: Gather further diagnostics
Appendix D: Defender classes and attributes in Active Directory
Classes defined by Defender
Appendix E: Defender Event Log messages
defender-tokenClass
defender-danClass
defender-dssClass
defender-policyClass
defender-licenseClass
defender-radiusPayloadClass
defender-tokenLicenseClass
Classes extended by Defender
Attributes defined by Defender
defender-tokenType
defender-tokenData
defender-userTokenData
defender-tokenUsersDNs
defender-tokenDate
defender-dssDNs
defender-dssMembers
defender-danKey
defender-id
defender-violationCount
defender-resetCount
defender-lastLogon
defender-objectActive
defender-prompts
defender-authMethods
defender-lockoutThreshold
defender-lockoutDuration
defender-lockoutTime
defender-policy
defender-policyMembers
defender-danType
defender-userIdType
defender-subnetMask
defender-accessCategories
defender-danMembers
defender-danDNs
defender-dssVersion
defender-radiusPayloadDn
defender-radiusPayloadMembers
defender-radiusPayloadData
defender-radiusPayloadGroups
defender-radiusPayloadGroupsDN
defender-radiusPayloadInherit
defender-policyAutoUnlock
defender-policyMobileUsers
defender-policyMaximumPasswordAge
defender-policyMaximumPINAge
defender-policyPasswordChangeFlags
defender-policyPasswordFilter
defender-policyGINAOptions
defender-policyLoginTimes
Defender VPN Integrator messages
Defender Report Scheduler messages
Defender Administration Console messages
Appendix F: Defender Client SDK
Installing Defender Client SDK
Application Programming Interfaces (APIs)
Appendix G: Defender Web Service API
IAuthenticator, IAuthenticator2, and IAuthenticator3 interfaces
IAuthenticator2 and IAuthenticator3 interfaces
IAuthenticator3 interface
AddPayload method
GetGridData method
GetAuthenticationImage method
SetGridResetPIPAttribute method
payload property
grIDsureMessage property
grIDsureGridType property
IAuthInfo interface
Defender Security Server messages
API methods
AddSoftwareTokenToUser method
AddTokenToUser method
GetTokensForUser method
RemoveAllTokensFromUser method
RemoveDefenderPassword method
RemovePinFromUserToken method
RemoveTemporaryResponse method
RemoveTokenFromUser method
ResetDefenderToken method
ResetDefenderViolationCount method
SetDefenderPassword method
SetPinOnUserToken method
SetTemporaryResponse method
TestDefenderToken method
API types
Using control access rights
Control access rights are provided as an optional setting during the installation of the Defender Administration Console. Control access rights can be combined with the delegated administration privileges assigned to security groups or users.
The Defender control access rights act as an additional layer of administration security, allowing you to enable or disable the token-related buttons provided below the Tokens list on the Defender tab in the Properties dialog for a Defender user:
With control access rights, you can enable or disable the following buttons:
- Program Allows you to program the selected token for the user.
- Recover Unlocks the selected token.
- Test Starts a non-intrusive test to verify the token’s response.
- Helpdesk Allows you to reset the token or assign a temporary token response to the user.
- Unassign Unassigns the selected token from the user.
- Add Assigns a new token to the user.
- Set PIN Sets a PIN for the selected token.
- Password Allows you set up a new or change the existing Defender password for the user.
To assign control access rights to users
- Use the Defender Administration Console to enable the Security tab for the Defender users. By default, the Security tab is disabled.
Do the following:
- On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane, expand the appropriate domain node, and then click to select the Defender container.
- On the menu bar, click View, and then click Advanced Features.
- In the left pane (console), locate the organizational unit that holds the Defender users to whom you want to assign control access rights.
- Right-click the OU, and then on the shortcut menu click Properties.
- In the dialog box that opens, click the Security tab, and then click Advanced.
- Click Add to add the security group or user account.
- In the Permission Entry for Users dialog box, use the following elements:
- Apply on Select the target for the permissions you are going to select (user objects or descendant user objects).
- Permissions list Select the check boxes next to the permissions you want to assign.
- Click OK to apply your changes.
To remove control access rights from a group of users
- In the Advanced Security Settings dialog box, click to select the appropriate entry in the Permission entries list.
- Click the Remove button below the list, and then click OK.
Automating administrative tasks
Defender Management Shell, built on Microsoft Windows PowerShell technology, provides a command-line interface that enables automation of Defender administrative tasks. With the Defender Management Shell, administrators can perform token-related tasks such as assigning tokens to users, assigning PINs, or checking for expired tokens.
The Defender Management Shell command-line tools (cmdlets), like Windows PowerShell cmdlets, are designed to deal with objects—structured information that is more than just a string of characters appearing on the screen. The cmdlets do not use text as the basis for interaction with the system, but use an object model that is based on the Microsoft .NET platform. In contrast to traditional, text-based commands, the cmdlets do not require the use of text-processing tools to extract specific information. Rather, you can access required data directly by using standard Windows PowerShell object manipulation commands.
Before installing the Defender Management Shell feature, make sure your computer meets the system requirements described in the Defender Release Notes.
All cmdlets are presented in verb-noun pairs. The verb-noun pair is separated by a hyphen (-) without spaces, and the cmdlet nouns are always singular. The verb refers to the action that the cmdlet performs. The noun identifies the entity on which the action is performed. For example, in the Add-TokenToUser cmdlet name, the verb is Add and the noun is TokenToUser.
- Installing Defender Management Shell
- Uninstalling Defender Management Shell
- Opening Defender Management Shell
- Getting help
- Cmdlets provided by Defender Management Shell
Installing Defender Management Shell
To install the Defender Management Shell
- In the Defender distribution package, open the Setup folder, and run the Defender.exe file.
- Complete the Defender Setup Wizard.
When stepping through the wizard, make sure to select the Defender Management Shell feature for installation. For more information about the wizard steps and options, see Defender Setup Wizard reference.
Uninstalling Defender Management Shell
To uninstall the Defender Management Shell
- Open the list of installed programs (appwiz.cpl).
- In the list, click to select the Defender entry.
- At the top of the list, click the Change button and step through the wizard that starts.
- In the Change, Repair, or Remove Installation step, click the Change button.
- In the Select Features step, click the Defender Management Shell feature, and then click Entire feature will be unavailable.
- Complete the wizard.