立即与支持人员聊天
与支持团队交流

Defender 6.4 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

OATH-HOTP mode

When the YubiKey tokens you have purchased are in the OATH-HOTP mode, to enable their use with Defender you need to import the YubiKey token objects into Active Directory by using the .txt import file (also known as the key file) containing token object definitions. Then, you can assign the imported token objects to users as necessary.

Normally, the .txt import file is provided together with the YubiKey tokens. Before importing token objects, you need to modify the .txt import file so that Defender can read its contents.

To enable the use of YubiKey working in OATH-HOTP mode

  1. Change the file name extension of the .txt import file to .csv.
  2. Open the .csv file in Microsoft Excel. The .csv file looks similar to the following:

 

 

The columns in the file contain the following:

  • A  YubiKey serial number.
  • B 160-bit secret set
  • C  Moving factor seed value.
  • D Configuration password. Contains zeros if configuration password is not set.
  1. Delete column D.
  2. Save the .csv file. Now the file is ready for import.
NOTE: Keep the initial .txt file containing the passwords associated with each of the Yubikeys, to program the second slot though the Yubico interface later.
  1. Import token objects from the .csv file into Active Directory. For instructions, see Importing hardware token objects.
  2. Assign the imported YubiKey token objects to users as necessary. For instructions, see Assigning a hardware token object to a user.

Defender Token Programming Wizard reference

 

Table 12:

Defender Token Programming Wizard reference

Wizard step

Your action

Select Token Type

You can select one of the following options:

  • Software token  Allows you to program and assign a software token, such as Defender Soft Token, e-mail token, GrIDsure token, or SMS token.
  • Hardware token  Allows you to program and assign a hardware token, such as DIGIPASS or YubiKey. This option does not support hardware VIP credentials.
  • Symantec VIP credential  Allows you to program and assign a software or hardware VIP credential. This option becomes available after you enable the use of VIP credentials. For details, see Enabling the use of VIP credentials.

Select Software Token

Click to select the software token you want to program and assign to the user.

Activation Settings

Select the Expire token activation code after check box if you want to set a validity time period (in days) for the code with which the user must activate the software token. Then, specify the number of days during which you want the token activation code to remain valid.

The token activation code is generated when you complete this wizard.

Leave the Expire token activation code after text box cleared if you do not want to limit the validity time period of the token activation code.

Activation and Passphrase Settings

In this step, you can select the following check boxes:

  • Expire token activation code after  Select this check box if you want to set a validity time period (in days) for the code with which the user must activate the software token. Then, specify the number of days during which you want the token activation code to remain valid. The token activation code is generated when you complete this wizard.
  • Alert user about failed passphrase attempts  Select this check box to notify the user when the user has entered an incorrect passphrase when unlocking the token. Optionally, you can select the Lock token passphrase after check box to lock the passphrase after the user has expended the specified number of attempts to unlock the token.
  • Token requires a passphrase  Select this check box to enforce the user to configure a passphrase for using with the token. When this check box is cleared, no passphrase is required. If you select this check box, you can optionally select the Passphrase must be strong check box, which requires the user to configure a passphrase that is at least six characters long, includes uppercase and lowercase characters, and numbers or special characters.

Mode, Encryption, and Response

Use the options in this step to specify an operation mode (synchronous or challenge-response), encryption method, and response length for the software token.

Select Password Algorithm

Select the one-time password algorithm you want Google Authenticator to use.

You can select one of the following algorithms:

  • Time based (TOTP)  One-time password remains valid for a particular amount of time. Then, Google Authenticator automatically generates a new one-time password.
  • Counter based (HOTP)  One-time password remains valid until the user manually generates a new one-time password in Google Authenticator.

Note that the algorithm you select in this wizard is only used if the user activates Google Authenticator with a QR code.

If the user activates Google Authenticator by manually typing the activation code, the one-time password algorithm specified by the user in Google Authenticator during activation takes precedence over the option you select in this wizard.

Select Token Location

Specify the Active Directory container in which you want to store the token object.

If you change the default location, ensure that the Defender Security Server service account and the Defender administrator account have sufficient permissions for the new location you specify.

Activation Code Distribution

Specify options for saving the token activation code.

In this step, you can use the following options:

  • One file for all users  Saves token activation codes for all users to a single file.
  • Individual file for each user  Saves token activation code for each user to an individual file.
  • File Location  Specify path to the folder in which you want to create files containing token activation codes.
  • File Name  Specify name for the file in which you want to store token activation codes. If a file with such name does not exist, it will be created.
  • Append activation codes to existing file  If you select this option and the file with the specified name already exists in the specified location, the wizard appends the activation codes to the file without overwriting its contents. If you leave this check box cleared, the existing file’s contents will be overwritten with the new token activation codes.

Action for Existing GrIDsure Tokens

This step shows up if the selected users already have a GrIDsure token assigned. Each user can only have one GrIDsure token assigned.

Select one of the following options:

  • Overwrite existing tokens  Creates new GrIDsure token objects which overwrite the existing GrIDsure token objects assigned to the users. As a result, the users will have to configure their GrIDsure Personal Identification Pattern (PIP) the next time they access a protected resource.
  • Keep using existing tokens  Does not create new GrIDsure token objects for the users who already have GrIDsure tokens assigned.

VIP Credential Activation

Enter the credential ID shown on the VIP credential you want to assign to the user. Make sure you register that credential ID with Symantec.

 

FIDO2 compatible Hardware Yubikey

Defender6.4.0 version supports FIDO2 compatible hardware Yubikey. 

  • A FIDO2 token
    • Can be used for authentication only in ISAPI clients.
    • Can be programmed through Management Portal only.
    • Cannot be created as a placeholder Token; it is required to program a FIDO2 token to a specific User.
  • It cannot be assigned or unassigned from a user like other tokens because of FIDO2 protocol security.

  • If user’s hardware key is stolen/broken, it can be deleted from Management Portal.

  • FIDO2 tokens will have priority during authentication if multiple other types of Tokens are assigned to user.

    • If user has FIDO2 tokens along with combination of push notification compatible and non-compatible tokens and they choose to Sign with Other option while authenticating with FIDO2, priority will be given to push Notifications.

  • FIDO2 tokens will have priority while authentication if multiple other types of Tokens are assigned to user.

    • If FIDO2 with Android/iOS and other Window Token both are assigned to a user and If User chooses to Sign with Other option while authenticating with FIDO2, second priority will be given to Android/iOS tokens push Notifications.

  • A maximum of 12 FIDO2 tokens can be programmed for a single user.
  • FIDO2 cannot be programmed using management shell and ADUC.
    • YubiKey hardware token can be simultaneously used in FIDO2, Yubico OTP and OATH-HOTP modes.

To Program a FIDO2 Token

  1. Open Management Portal, Go to Management Tab and under Users Tab, Search for User to whom you want to assign FIDO2 token.

  2. Click on Program option; A window pop up will appear with different options of Software and Hardware Tokens.

  3. Choose Hardware Tab and select FIDO2 option and click Program Token.

  4. Another window pop-up will appear for user to enter FIDO2 token name:

    • Should be at least four characters.

    • Special character and space are not allowed.

    • Underscore(_) is allowed.

    • Maximum length should be 40 characters.

  5. Click on Request and window will display success message.

  6. FIDO2 token will appear in assigned token list of user with unique ID.

Operations on FIDO2 Token in Management Portal

  1. Each FIDO2 token can be managed from assign token list of user using Manage button next to the token.

  2. On clicking Manage, a window will appear with two tabs named EDIT and DELETE.

  3. If user chooses EDIT, he can change the name of FIDO2 token.

  4. If user chooses DELETE, he can delete the assigned FIDO2 token.

Configuration settings to provide access to request FIDO2 token from Self-Service

  1. Sign in to the Defender Management Portal as a portal administrator.

  2. Click the Administer Defender option.

  3. In the left pane, click the Self-Service Settings tab.

  4. In the right pane, under General tab choose Edit Permissions for AD Group.

  5. Window will appear with list of tokens to make available to this group on the Defender Self-Service Portal.

  6. Either Select All or select FIDO2 and click on Ok button.

  7. Save the Self-Service settings.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级