Chat now with support
Chat with Support

Defender 6.4.1 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Enabling the use of VIP credentials

To enable the use of VIP credentials

  1. Install a VIP certificate:
    1. On the computer where the Defender Administration Console is installed, start the Active Directory Users and Computers (ADUC) tool (dsa.msc).
    2. In the left pane (console tree), expand the appropriate domain node, and click to select the Defender container.
    3. On the menu bar, select Defender | VIP Credential Configuration.
    4. In the dialog box that opens, click the Install button.
    5. Click Browse to select the VIP certificate you want to use, and then type the certificate’s password.
    6. When finished, click OK.
  2. Configure the correct URL for communications with the Symantec VIP Service.

At the time of writing, the Symantec VIP Service URL was https://services-auth.vip.symantec.com. For the correct URL, refer to the Symantec VIP Service documentation.

  1. Click the Test button to ensure you have correctly specified the VIP certificate, certificate password, and URL to the Symantec VIP Service.
  2. When you are finished, click OK to close the dialog box.

Programming a VIP credential for a user

Before programming a VIP credential, make sure you enable the use of VIP credentials in Defender. For more information, see Enabling the use of VIP credentials.

In this step, you program and assign a VIP credential to the user you want. You can reassign an existing VIP credential from one user to another or assign a new VIP credential as required.

To program a VIP credential for a user

  1. On the computer on which the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. Locate and double-click the required user object.
  3. In the dialog box that opens, click the Defender tab.
  4. Under the Tokens list, click the Program button, and then complete the wizard that starts.

    For more information about the wizard steps and options, see Defender Token Programming Wizard reference.

    After you complete the wizard, a new VIP credential entry appears in the Tokens list on the Defender tab.

Configuring YubiKey

You can allow users to authenticate via Defender by using one-time passwords generated with the YubiKey hardware token. Defender supports the YubiKey token programmed to work either in the Yubico OTP or OATH-HOTP mode.

See the following sections for instructions on enabling the use of the YubiKey token programmed in one of these modes:

Yubico OTP mode

When the YubiKey tokens you have purchased are in the Yubico OTP mode, to enable their use with Defender, you need to specify the client ID and API key provided with the tokens in the Defender Administration Console, and then configure self-service settings on the Defender Management Portal to enable users to self-register their YubiKey tokens on the Defender Self-Service Portal.

When a user registers the YubiKey on the Defender Self-Service Portal, the corresponding token object is automatically created in Active Directory.

To enable the use of YubiKey working in Yubico OTP mode

  1. In the Defender Administration Console, specify the client ID and API key provided to you with the YubiKey tokens:
    1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
    2. In the left pane of the ADUC tool, expand the appropriate domain node, and click to select the Defender container.
    3. On the menu bar, select Defender | YubiCloud Client Configuration.
    4. In the dialog box that opens, type the client ID and API key provided to you with the YubiKey tokens.
    5. Click the Test button, and follow the on-screen instructions to ensure the supplied client ID and API key are valid. If the test completes successfully, click OK to save the client ID and API key.
  2. Configure the Defender Self-Service Portal to enable the registration of YubiKey tokens for the users:
    1. Open the Defender Management Portal. For more information, see Opening the portal.
    2. In the left pane, click the Self-Service Settings tab.
    3. In the right pane, on the General tab, use the Permissions area to add Active Directory groups and enable their members to register their YubiKey tokens via the Defender Self-Service Portal.

      For the descriptions of elements you can use on the Self-Service Settings tab, see Configuring self-service for users.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating