EToken TMS 2.0 SP3 Installation and Configuration Guide 0

Token Management
System (TMS)
Version 2.0 SP3
Installation and Configuration

Guide
May 2008
Token Management System (TMS)
Contacting Aladdin eToken

If you have any questions about Aladdin eToken, contact your local reseller or
the Aladdin eToken technical support team:
Region
Contact
USA
1-212-329-6658
1-866-202-3494
etoken.ts.us@aladdin.com
0H
Austria, Belgium, France, Germany, Italy,
00800-22523346
Netherlands, Spain, Switzerland, UK

Ireland
0011800-22523346
Rest of the world
+972-3-9781299
You can submit a question to the Aladdin eToken technical support team at
the following web page:
http://www.aladdin.com/forms/etoken_question/form.asp
1H
Website
http://www.aladdin.com/eToken
2H
Additional Documentation
We recommend reading the following Aladdin eToken publications:
II
eToken TMS 2.0 SP3 Installation and Configuration Guide (this

document)
eToken TMS 2.0 SP3 Reference Guide
eToken TMS 2.0 SP3 Connectors Guide
eToken TMS 2.0 SP3 ReadMe
eToken OTP Authentication 2.0 Administrators Guide
eToken TMS - Entrust Connector 2.0 SP2 Administrators Guide
About This Manual

Intended Audience
This manual should be read by eToken customers and system
administrators/Integrators who wish to install and configure eToken TMS.
Text Conventions
The following conventions are followed throughout this manual.
Convention
Explanation
Boldface
Used to indicate text that you enter, type or execute.

Example: Click Enter or Save or Delete.
Italicized
Used to highlight objects in the application.

Example: The Production Domain window opens, The
Connectors window opens.
Indicates additional information related to the task
Note
Caution
being discussed.
Identifies potential problems that the user should

look out for when completing a task, or problems to
be addressed before completing a task.
>
Used as a short cut to indicate the path to be

followed.
Example: Programs>eToken>TMS, indicates;
From the Programs menu choose the eToken
submenu and in eToken choose the TMS option.
Provides ancillary information on the topic being
discussed. Go to sidebars to learn additional
information about the topic.
III
Token Management System (TMS) 2.0
Table of Contents
Chapter 1 Introduction...................................................................................................... 1
3H
15H
Overview ............................................................................................................................ 2
4H
152H
Main Features.................................................................................................................... 3
5H
153H
New in TMS 2.0 ................................................................................................................. 3

6H
154H
New in TMS 2.0 SP3.......................................................................................................... 4

7H
15H
Chapter 2 System Requirements ...................................................................................... 7

8H
156H
TMS Server System Requirements ................................................................................... 8

9H
157H
TMS Management Tools System Requirements .............................................................12

10H
158H
TMS Client System Requirements ...................................................................................13

1H
159H
Chapter 3 TMS Deployment Strategies ......................................................................... 15

12H
160H
TMS Architecture Overview .............................................................................................16

13H
16H
Microsoft Active Directory Overview...............................................................................16

14H
162H
TMS Deployment Options................................................................................................19

15H
163H
Shadow Domain Installation .......................................................................................... 20

16H
164H
TMS Installation Steps .....................................................................................................21

17H
165H
Chapter 4 Deployment of TMS with MS SQL Server.................................................. 25

18H
16H
Prerequisites .................................................................................................................... 26
19H
167H
MS SQL Server Views ...................................................................................................... 26

20H
168H
Indexed Fields ................................................................................................................. 29

21H
169H
Chapter 5 Deployment of TMS with OpenLDAP......................................................... 31

2H
170H
Using OpenLADAP as the User Store ............................................................................. 32

23H
17H
NameSpaces..................................................................................................................... 32
24H
172H
XML File Structure.......................................................................................................... 33

25H
173H
Performance .................................................................................................................... 33
26H
174H
Chapter 6 Installation...................................................................................................... 34
27H
175H
Installation Components................................................................................................. 35
28H
176H
Installing the TMS Server Component ........................................................................... 36

29H
17H
Installing the TMS Management Station Component ................................................... 37

30H
178H
Installing the TMS Client Component ............................................................................ 37

31H
179H
Migrating from TMS 1.5 to TMS 2.0 ............................................................................... 40

32H
180H
Removing TMS 1.5........................................................................................................... 47

3H
18H
Migrating OTP Connector ............................................................................................... 48

34H
182H
Upgrading to TMS 2.0 SP3.............................................................................................. 48

35H
183H
Chapter 7 TMS Configuration ....................................................................................... 49

36H
184H
Opening the TMS Configuration Settings Wizard.......................................................... 50

37H
185H
Configuring TMS for Active Directory ............................................................................ 50

38H
186H
Configuring TMS for OpenLDAP .................................................................................... 60

39H
187H
Configuring TMS for MS SQL Server.............................................................................. 77

40H
18H
Chapter 8 Post-Installation Configuration.................................................................... 83

41H
189H
Configuring TMS Policy Settings for Active Directory................................................... 85

42H
190H
Configuring TMS Policy Settings for MS SQL Server and OpenLDAP.......................... 89

43H
19H
Editing TMS Settings....................................................................................................... 93

4H
192H
Chapter 9 Defining Token Policies............................................................................... 113

45H
193H
Understanding TPOs ...................................................................................................... 114

46H
194H
The Microsoft Active Directory Users and Computers Snap-in ................................... 115
47H
195H
Configuring TPO Objects................................................................................................ 115

48H
196H
Specifying TPO Scope.................................................................................................... 128

49H
197H
TPO Settings .................................................................................................................. 132

50H
198H
Chapter 10 Configuring Enrollment Notification Letters ......................................... 155

51H
19H
Main Steps ..................................................................................................................... 156

52H
20H
Configuring the Enrollment Letter Settings ................................................................. 156

53H
201H
Editing the Enrollment Notification Letter Template.................................................. 156

54H
20H
Chapter 11 Auditing TMS Events ................................................................................ 161

5H
203H
Configuring Audit Settings for Viewing in Event Viewer............................................. 162

56H
204H
Configuring Audit Settings for Sending Notification Messages .................................. 164

57H
205H
Configuring the Audit Notification Letter Template..................................................... 171

58H
206H
Viewing TMS Events in the Event Viewer .....................................................................172

59H
VI
207H
Table of Contents
Chapter 12 The TMS Backend Service........................................................................ 175

60H
208H
Overview ......................................................................................................................... 176

61H
209H
Controlling Backend Services ........................................................................................ 177

62H
210H
Chapter 13 The TMS Desktop Agent........................................................................... 181

63H
21H
Overview ........................................................................................................................ 182

64H
21H
Expiry Alert.................................................................................................................... 182

65H
213H
Auditing the Removal and Insertion of eTokens.......................................................... 190

6H
214H
Automatic eToken Virtual Download ............................................................................ 191

67H
215H
Configuring TMS Desktop Agent Web Service..............................................................193

68H
216H
Chapter 14 OTP Configuration.................................................................................... 195

69H
217H
OTP Web Service Configuration ................................................................................... 196

70H
218H
TMS IAS Plug-In Configuration.................................................................................... 199

71H
219H
Configuring IAS for use with MS SQL Server or OpenLDAP ...................................... 201
72H
20H
Chapter 15 Exporting TMS Data ................................................................................. 207

73H
21H
Exporting TMS Data......................................................................................................208

74H
2H
Chapter 16 eToken Pass ................................................................................................ 209

75H
23H
Importing the eToken Pass XML File........................................................................... 210

76H
24H
eToken Pass Enrollment ................................................................................................213

7H
25H
Locking eToken PASS.....................................................................................................219

78H
26H
Removing eToken PASS from the TMS Inventory ........................................................219

79H
27H
Chapter 17 Configuring eToken SSO Backup in TMS .............................................. 221

80H
28H
Prerequisites .................................................................................................................. 222

81H
29H
Configuring SSO Backup ............................................................................................... 222

82H
230H
Chapter 18 Glossary ...................................................................................................... 229

83H
231H
Appendix 1 Installing and Configuring ADAM.......................................................... 243

84H
23H
Appendix 2 User Permissions ....................................................................................... 253

85H
23H
The Minimum permission required to administer basic TMS operations.................. 253

86H
234H
Appendix 3 Copyrights and Trademarks .................................................................... 259

87H
235H
NOTICE ......................................................................................................................... 259

8H
236H
Appendix 4 FCC Compliance ....................................................................................... 261

89H
237H
VII
FCC Warning ................................................................................................................. 261

90H
238H
CE Compliance .............................................................................................................. 261

91H
239H
UL Certification ............................................................................................................. 262

92H
240H
ISO 9002 Certification .................................................................................................. 262

93H
241H
Certificate of Compliance .............................................................................................. 262

94H
VIII
24H
Chapter 1
Introduction
This chapter describes the main features in the Aladdin Token Management
System.
This chapter includes the following:
Overview
Main Features
243H
New in TMS 2.0
New in TMS 2.0 SP3

24H
Overview
eToken TMS is a robust full life-cycle management system for your entire
eToken enterprise authentication solution.
TMS provides a unique answer to one of the main challenges in managing
security in an enterprise: connecting the users, their security devices, and the
organizational policies to the associated security applications. TMS links them
all into a single automated and fully configurable system, removing the
barriers to the implementation of enterprise-wide security services - in
particular those that rely on PKI technology
TMS provides powerful tools so that you can cost-effectively and conveniently
handle all aspects of token life cycle management. TMS capabilities include
token deployment and revocation; web-based user self-service token
enrollment and password reset; automatic backup and restore of user
credentials; handling of lost and damaged tokens; and much more. In
addition, TMS provides comprehensive auditing and reporting capabilities to
help you comply with industry regulations such as Sarbanes Oxley, HIPAA,
Basel II, and more.
TMSs open and standard-based architecture, together with its seamless
integration with Microsoft Active Directory, guarantees the flexibility and
modularity you need to manage the authentication solution that best fits your
current and evolving business environment.
Overview of Aladdin TMS
Introduction
Aladdin TMS is based on open standards architecture, with configurable

connectors. This supports integration with a wide range of security
applications including network logon, VPN, web access, one-time password
authentication, secure e-mail and data encryption.
Aladdin TMS SDK enables the integration and management of third-party
security applications.
Main Features
The main features of TMS are:
Full enterprise-wide deployment and life-cycle management of all

authentication tokens, users and supported applications
Simple wizard-based installation
Web-based user self-service, help desk, and administrator management

tools
Open standards-based architecture support for security applications

using configurable connectors
SDK for integration of third-party applications
Secure handling lost and damaged tokens
Solution for employees who lost or forgot their tokens while on the road
Secure backup and restore of user keys and credentials
Full auditing and reporting capabilities
Role-based access to TMS
Built-in data encryption with separate keys for different domains
New in TMS 2.0

Aladdin TMS 2.0 includes the following new and enhanced features:
New design
New and enhanced functionality
Enhanced user experience
New Design
The new design of the TMS allows:
Enhanced scalability through a 3-tier, Web-based architecture
Enhanced data security
Enhanced role management
New and Enhanced Functionality

The new and enhanced functionality of TMS includes the following:
eToken Virtual ensures continued productivity when an employee loses an

eToken
Auditing and enhanced reporting (built-in reports and export capabilities

for third-party reporting tools)
New TMS Flash Management Connector (partitioning and managing of

auto-run sections)
Enhanced PKI management
Automatic certificate renewal for Microsoft CA 2000/2003
Enhanced revoke/delete user mechanism
Support for all eToken devices including the eToken Pass (OTP only
device)
Enhanced User Experience

The user experiences:
New web-based GUI design
Simplified, wizard-based installation and configuration
Support for authentication exceptions, such as an employee on-the-road

who has lost his token, through the eToken Virtual (described above) and
a self-service website
Multilingual Support
New in TMS 2.0 SP3
TMS 2.0 SP3 supports MS SQL Server and OpenLDAP as user stores. This
enables the deployment of TMS in environments were Microsoft Active
Directory is not deployed or does not serve as the directory for users to be
managed by TMS.
Localization Support eToken TMS 2.0 SP3 includes improved support

for Japanese and Russian.
Introduction
More robust and better stability Implementation of new enhancements

based on customer experience.
Chapter 2
System Requirements
This chapter describes the system requirements for Aladdin eToken TMS.
TMS comprises the following components: Server, Management Tools and
Client.
TMS Server System Requirements
TMS Management Tools System Requirements
TMS Client Component System Requirements
TMS Server System Requirements

Operating Systems
TMS Server runs on the following operating systems:
Windows Server 2003 SP1 or SP2
Windows 2000 Server SP4
Pre-requisites for all Supported OS

TMS Server pre-requisites for both Windows Server 2003 and Windows 2000
Component Component Description
Windows
The Microsoft Windows
Installer 3.0
Installer is an application
Web Reference
http://www.microsoft.com/downlo
ads/details.aspx?familyid=5fbc54
70-b259-4733-a914a956122e08e8&displaylang=en
installation and configuration
95H
service. WindowsInstallerKB884016-v2-x86.exe is the

redistributable package for
installing or upgrading Windows
Installer.
Microsoft
.NET
Framework
Version 2.0
The Microsoft .NET Framework
version 2.0 (x86) redistributable ads/details.aspx?familyid=0856E
ACB-4362-4B0D-8EDDpackage installs the .NET
AAB15C5E04F5&displaylang=en
Framework runtime and
Redistributab associated files required to run

le
applications developed to target

the .NET Framework v2.0.
96H
System Requirements

Microsoft SQL Microsoft SQL Server 2005
Server 2005
Express Edition is a free,
or Microsoft
lightweight version of SQL
SQL Server
Server 2005.
Web Reference
ads/details.aspx?familyid=31711
d5d-725c-4afa-9d65e4465cdff1e7&displaylang=en
97H
2005 Express
Edition SP 2
(Required if
the
attendance
report
feature is to
be used).
TMS
TMS 2.0 SP3 requires one of the
Configuration following as TMS Configuration

Store
User Store
Store:
Active Directory
ADAM
TMS 2.0 SP3 requires one of the

following as user store:
Active Directory
ADAM
MS SQL Server 2000 or

2005
OpenLDAP 2.3.38 or higher
Aladdin RTE
Required to work with eTokens
3.65 or
and connector rules
Aladdin PKI
Client 4.0 or
higher
configuration. The PKI should be

installed both on the server and
the client machines for a fully
featured TMS system.
Prerequisites for Windows 2000 Server

TMS server pre-requisites specific to Windows 2000 Server
MSXML 4.0
Web Reference
MSXML 4.0 Service Pack 2 (SP2) http://www.microsoft.com/download

98H
Service Pack is a complete replacement of

2 (Microsoft
MSXML 4.0 and MSXML 4.0
XML Core
Service Pack 1 (SP1). MSXML
Services)
4.0 SP2 provides a number of
s/details.aspx?familyid=3144b72bb4f2-46da-b4b6c5d7485f2b42&displaylang=en
security and bug fixes. MSXML

4.0 SP2 does not replace MSXML
3.0.
Windows
Download the runtime libraries
2000
for Windows Authorization
http://www.microsoft.com/download
s/details.aspx?familyid=7edde11fbcea-4773-a29284525f23baf7&displaylang=en
Authorization Manager on Windows 2000.
9H
Manager
Runtime
Security
A security issue has been
Update for
identified that could allow an
Windows
attacker to compromise
2000
remotely your Windows-based
(KB890859)
system and gain control over it.
http://www.microsoft.com/download
s/details.aspx?familyid=992C1BF9A2C0-49D2-9059A1DAD6703213&displaylang=en
10H
Policy Settings for Windows 2000 Server

The following actions must be performed before installing TMS on Windows
2000 Server.
1. In Domain Controller Security Policy and Domain Security Policy add
IWAM user to the Act as part of the operating system policy.
2. In Domain Controller Security Policy add IWAM user to the Impersonate
Client after authentication policy.
3. Grant the IWAM user full access to windows/temp template .net
directories.
4. In the Domain Controller Security Policy, add domain users, or
authentication users, to the Log on locally policy (to allow users to use
basic authentication)
10
System Requirements
5. Run:
C:\Windows\Microsoft.Net\Framework\v2.0.50727\aspnet_regiis.exe -i
6. If IIS is installed on a different computer, grant IWAM and ASPNET users
read permission to:
HKEY_LOCAL_MACHINE\software\aladdin\etoken\tms\server\admin
7. Restart your computer.
11
TMS Management Tools System Requirements

Operating Systems
TMS Management Tools run on the following operating systems:
Windows 2000 Client SP4
Windows XP SP2

Management Tools Pre-requisites for all supported operating systems
Windows
The Microsoft Windows
Installer 3.0
Installer is an application
Web reference
http://www.microsoft.com/downl
oads/details.aspx?familyid=5fbc
5470-b259-4733-a914a956122e08e8&displaylang=en
installation and configuration
10H
service. WindowsInstallerKB884016-v2-x86.exe is the

redistributable package for
installing or upgrading Windows
Installer.
Microsoft
The Microsoft .NET Framework
applications developed to target
http://www.microsoft.com/downl
.NET
version 2.0 (x86) redistributable oads/details.aspx?familyid=085
6EACB-4362-4B0D-8EDDFramework
package installs the .NET
AAB15C5E04F5&displaylang=e
Version 2.0
Framework runtime and
Redistributabl associated files required to run n
the .NET Framework v2.0.
12
102H
System Requirements
TMS Client System Requirements

Operating Systems
TMS Client runs on the following operating systems:
Windows 2000 Client SP4
Windows XP SP2
Windows Vista
Note: If you install the TMS Client on Windows Vista, the TMS Management
Center and TMS Self Service Center must be set as trusted sites.

Component
Component Description
Aladdin RTE 3.65 or
Required to work with eTokens and connector rules
Aladdin PKI Client 4.0

or higher
configuration. The PKI should be installed both on the

server and the client machines for a fully featured TMS
system.
13
Chapter 3
TMS Deployment Strategies
This chapter describes the different options for deploying TMS and Microsoft
Active Directory (AD).
Note: TMS 2.0 SP3 also supports MS SQL Server and OpenLDAP as the user
store. See
Deployment of TMS with MS SQL Server on page 25 or
Deployment of TMS with OpenLDAP on page 31.
245H
246H
247H
248H
TMS is a web-based 3-tier application with a database, application tier, and

top tier. The database is AD or ADAM (Microsoft Active Directory Application
Mode).
By using AD, the industry standard directory service, TMS leverages ADs
object security, access control, group policy, and replication functionality.
Also, by using AD, TMS consumes fewer system resources.
TMS Architecture Overview
249H
Microsoft Active Directory Overview
250H
TMS Deployment Options
251H
Shadow Domain Installation
15
25H
TMS Installation Steps

253H
TMS Architecture Overview

TMS 2.0 is a web-based 3-tier application:
Database: Active Directory (AD) or ADAM
Application Tier: ASP.NET application
Top Tier: Internet Explorer browser or a Windows form application
The Windows forms client is used only for the Token Policy Object (TPO)
editor. Other management or self service capabilities are available from a
web browser.
TMS Architecture
Microsoft Active Directory Overview

Microsoft Active Directory (AD) is a distributed directory service included
with Microsoft Windows Server 2003 and Microsoft Windows 2000 Server
operating systems. AD enables centralized, secure management of an entire
network.
AD provides a central location for network administration and delegation of
administrative authority. You have access to objects representing all network
16
users, devices, and resources. You can group objects for ease of management
and application of security and group policy.
AD enables you to manage information, security, and single sign-on for user
access to network resources. Tight integration with security eliminates the
need to track accounts for authentication and authorization between systems.
Tokens and security applications are managed similar to other resources.
Domains, Trees, and Forests

AD uses organizational units (OU), domains, trees, and forests to represent
the logical structure of the directory hierarchy.
Organizational Unit: the smallest unit within domains used to subdivide

the various administrative divisions. Organizational units can contain
users, groups, computers, printers, and shared folders, as well as other
organizational units.
Domain: AD is made up of one or more domains. When you create the

initial domain controller in a network, the domain is also created (each
domain must have at least one domain controller). Each domain in the
directory is identified by a DNS domain name.
Domains are the basic entity used to manage the various populations of
users, computers, and network resources in your enterprise.
Note: TMS is installed at the domain level. In a multi-domain
environment, TMS must be configured on each domain, even if they are in
the same forest.
Tree: a tree is a set of one or more domains with contiguous names. If

more than one domain exists, you can combine the multiple domains into
hierarchical tree structures.
The first domain created is the root domain of the first tree. Additional
domains in the same domain tree are child domains. A domain
immediately above another domain in the same domain tree is its parent.
The parent-child relationship between domains in a domain tree is a
naming and trust relationship only. Administrators in a parent domain
are not automatically administrators of a child domain, and policies set in
a parent domain do not automatically apply to child domains.
Forest: a forest consists of one or more trees. The forest represents the
security boundary for AD. All domain controllers in a forest host a copy of
the forest Configuration and Schema containers in addition to a domain
database.
17
You can delegate administrative authority on the domain or organizational

unit level.
Schema
The AD schema defines the objects that are available to the directory service.
You can add your own classes or attributes to an existing object type. The
schema operates at the forest level; all domains in all trees in one forest have
the same schema.
Note: When you install TMS, it changes the existing schema. To avoid this
you can use the shadow domain model. This is the location of the TMS data
storage, where the schema should be changed.
Domain Controller Roles

A domain controller is a server running Windows Server 2003 or
Windows 2000 Server, with AD installed.
When you install Windows Server 2003 or Windows 2000 Server on a
computer, you can configure a server role for that computer. To create a new
forest, a new domain, or an additional domain controller in an existing
domain, you configure the server as a domain controller by installing AD.
By default, a domain controller stores information about the domain in which
it is located, plus the schema and configuration directory partitions for the
entire forest.
Replication
Objects in the directory are distributed among the domain controllers in a
forest, and all domain controllers can be updated directly. The AD replication
process ensures that changes made on one domain controller are
automatically synchronized with other domain controllers.
Microsoft Active Directory Application Mode

The Microsoft Active Directory Application Mode (ADAM) is a directory
service running as a user service and not as a system.
ADAM is a Lightweight Directory Access Protocol (LDAP) directory service.
You can run ADAM on servers running Microsoft Windows ServerTM 2003
and also on clients running Microsoft Windows XP Professional.
18
Note: To run ADAM on clients running Windows XP Professional, you must
install the latest service packs and hot fixes (see page 229).
254H
ADAM provides data storage and retrieval for directory-enabled applications,

without the dependencies that are required for the Active Directory
directory service. ADAM provides much of the same functionality as Active
Directory, but it does not require the deployment of domains or domain
controllers. You can run multiple instances of ADAM concurrently on a single
computer, with an independently managed schema for each ADAM instance.
In very large domains with different geographical sites, AD has advantages
over ADAM because of its replication capabilities and stronger security
mechanisms. In other environments, the ADAM installation is simpler, and
supports all TMS requirements.

Use the production domain on your current AD only if it is acceptable to you
that the schema will be modified. If you do not wish the schema to be
modified, use the shadow domain or ADAM development mode.
Production and Shadow Domains

You can install TMS on production domains or shadow domains, in a single or
multi-domain deployment.
Production Domain: if you install TMS on your current AD production

domain, the schema will be modified. Choose this option only if this is
acceptable.
Shadow Domain: choose a shadow domain installation if you do not want

to modify your current AD schema.
Use one of the following as a shadow domain:
AD domain, created for that purpose.
Microsoft Active Directory Application Mode (ADAM)
19

Domain Type
Domain Environment
Directory Service
Production
Single
AD
Production
Multi
AD
Shadow
Single
AD
Shadow
Single
ADAM
Shadow
Multi
AD
Shadow
Multi
ADAM
Shadow Domain Installation

Installing AD Shadow Domain
This section describes the main steps required to install the AD shadow
domain.
The installation process for each step is described later.
To install an AD shadow domain:
1. In a new domain, set up a shadow domain server with Windows
Server 2003 or Windows 2000 Server, and AD.
2. Connect the server to the current network and create a trust relationship
between the production domain and shadow domain.
The shadow domain must trust your production domain.
Note: The production and shadow domains must be in different forests.
3. Set up the DNS and Windows services in all domains.
All domains should be fully visible to each other from every point in the
network.
4. Install DC on the AD shadow domain server.
5. Define the user, with whom you want to install the TMS server, as an
Administrator in the shadow domain.
20
6. You can now install TMS.
Installing ADAM Shadow Domain

To install ADAM shadow domain:
Install and configure ADAM on a computer in your domain (see page 243)
25H
You can install ADAM on computers that are configured as domain

controllers, domain members or workgroup members. Multiple instances of
ADAM can run concurrently on a single server or a Windows XP workstation,
and each instance can be configured independently. No trust relationships are
required to work with ADAM.
TMS Installation Steps

This section describes the main steps required to install the different
deployment options.
The installation process for each step is described later.
Installing TMS in an AD Single Domain Production

Environment
To install TMS in an AD single domain production environment:
1. Run the TMS Server installation on a member server in your domain.
2. Run the TMS Management station installation on every client.
Installing TMS in an AD Single Domain Shadow

Environment
To install TMS in an AD single domain shadow environment:
1. Run the TMS Schema modification scripts installation on the shadow
domain.
2. Run the TMS Server installation on a member server in your production
domain.
Note: The two domains, production and shadow, must be in different
forests.
21
Installing TMS in an ADAM Single Domain Shadow

Environment
To install TMS in an ADAM shadow domain environment:
1. Install ADAM on a machine in your production domain.
2. Install the TMS Server on a member server in your production domain.
Installing TMS in an AD Multi Domain Production

Environment
You must configure TMS for every domain using TMS. All domains may be
managed from a single member server in your production domain, or by using
multiple servers.
To install TMS in a multi domain production environment:
1. Run the TMS Server installation on one member server in one of the
domains.
2. Configure TMS for every domain in the forest you want TMS to be used.
Installing TMS in an AD Multi Domain Shadow

Environment
To install TMS in a multi domain shadow environment:
1. Run the TMS Server installation on a member server in one of the
domains in the forest.
2. Configure TMS for every domain in the forest where you want TMS to be
used.
If you are running on a child domain, administrator rights or root
administrator rights are needed. These rights are required only when the
schema is changed for the first time. For other activities, performed later, the
administrator does not need these rights.
Note: You can use the same shadow domain for multiple production domains
in your forest.
22
Installing TMS in an ADAM Multi Domain Shadow

Environment
To install TMS in an ADAM multi domain shadow environment:
3. Run the TMS Schema modification scripts installation on the ADAM
shadow Domain Controller.
4. Run the TMS Server installation on a member server in one of the
domains in the forest.
5. Configure TMS for every domain in the forest where you want TMS to be
used.
If you are running on a child domain, administrator rights or root
administrator rights are needed. These rights are required only when the
schema is changed for the first time. For other activities, performed later, the
administrator does not need these rights.
Note: You can use the same ADAM shadow domain for multiple production
domains in your forest.
23
Chapter 4
Deployment of TMS with MS SQL
Server
TMS 2.0 SP3 supports MS SQL Server as a user store, with ADAM as the TMS
Configuration Store.
For information about installing MS SQL server, refer to the following
document:
Installation flow TMS 2.0 SP3 with SQL Database
Prerequisites
256H
You must perform the following tasks before implementing MS SQL Server as
a user store:
Prepare the data views so that TMS can connect to the database.
Prepare authentication .dll that will enable users to log on to TMS Centers.
Note: We recommend contacting eToken Technical support before preparing

the authentication .dll
MS SQL Server Views
Indexed Fields
257H
25
Prerequisites
a user store:

MS SQL Server Views

The required views must be created in MS SQL Server.
This set of views must be prepared as described to enable TMS to connect to
the database.
AksTMSUsers
Represents your users table.
Field
Type
Description
Required Field
UserID
String
The user unique ID
Yes
AccountName
String
The unique user account name
Yes
PolicyObjectID
String
The direct organization unit
Yes (can be null)
LogonName
String
The unique user logon name
No
AccountEnabled
Boolean
Used by OTP authentication
No
AccountLocked
Boolean
Used by OTP authentication
No
FirstName
String
The user first name
No
LastName
String
The user last name
No
Initials
String
The user initials
No
MiddleName
String
The user middle name
No
26
Deployment of TMS with MS SQL Server
Field
Type
Description
Required Field
Street
String
The user address street
No
POBox
String
The user address PO Box number
No
City
String
The user address city
No
State
String
The user address state
No
ZipCode
String
The user address zip code
No
CountryCode
String
The user address country code
No
HomePostalAdress
String
The user home postal address
No
Email
String
The user email
No
MobilePhone
String
The user mobile phone
No
HomePhone
String
The user home phone
No
OrganizationName
String
The user organization name
No
Company
String
The user company
No
EmployeeNumber
String
The user employee number
No
DepartmentNumber
String
The user department number
No
Office
String
The user office
No
DisplayName
String
The user full display name
No
AksTMSGroups
Represents your groups table.
Field
Type
Description
Required Field
GroupID
String
The group unique ID
Yes (value required)
27
Field
Type
Description
Required Field
GroupName
String
The unique group name
DisplayName
String
The group full display name
No
AksTMSUserOfGroup
Represents membership of users in the groups.
Field
Type
Description
Required Field
GroupID
String
The group unique ID
UserID
String
The user belongs to group
AksTMSGroupOfGroup
Represents the group hierarchy.
Field
Type
Description
Required
GroupID
String
The group unique ID
MemberGroupID
String
The subgroup belongs to
group
AksTMSPolicyObjects
Represents hierarchy of the organization (equivalent to OU)
Field
Type
Description
PolicyID
String
The policy object unique ID
Required
Yes (value
required)
PolicyName
Root
String
Boolean
The unique policy object
Yes (value
name
required)
Policy object is root
Yes (value
required)
28
Deployment of TMS with MS SQL Server
Field
Type
Description
Required
ParentPolicyID
String
The ID of the parent policy
Yes (value not
object
required)
The policy full display name
No
DisplayName
String
Indexed Fields
To ensure optimum performance, all required fields in the SQL database
should be indexed:
AksTMSUsers: UserID, AccountName, PolicyObjectID
AksTMSGroups: GroupID, GroupName
AksTMSUserOfGroup: GroupID, UserID
AksTMSGroupOfGroup: GroupID, MemberGroupID
AksTMSPolicyObjects: PolicyID, PolicyName, Root, ParentPolicyID
29
Chapter 5
Deployment of TMS with OpenLDAP
TMS 2.0 SP3 supports OpenLDAP as a user store, with ADAM as the TMS
Configuration Store.
OpenLDAP Software is an open source implementation of the Lightweight
Directory Access Protocol.
For more information about OpenLDAP see http://www.openldap.org/
103H
For information about installing OpenLDAP, refer to the following document:

Installation flow TMS 2.0 SP3 with OpenLDAP Database
Using OpenLADAP as the User Store
258H
NameSpaces
259H
Indexed Fields
260H
Performance
261H
31
Using OpenLADAP as the User Store

TMS 2.0 SP3 supports the use of OpenLDAP as a user store, with ADAM as
the TMS Configuration Store.
In contrast to AD, OpenLDAP does not use a specific schema definition for
users, groups and so on. It uses a basic definition that is extended on each
installation.
If you require an OpenLDAP schema different to the default, you must
provide an XML file to match TMS aware entities (users, groups and policy
objects) with existing properties in the OpenLDAP installation (As described
in Prerequisites
26H
a user store:

MS SQL Server Views on page 26).
263H
NameSpaces
The default namespace contains the following object classes:
organizationalPerson (User)
organizationalUnit (Policy Linker)
groupOfNames (Group)
Any OpenLDAP implementation that utilizes these object classes, or classes

derived from them, will work correctly.
When using the notifications feature of TMS, a user email is expected to be
located in the user object. The default email attribute name used is mail
which also belongs to the inetOrgPerson object class. So if an OpenLDAP
implementation already contains inetOrgPerson objects which are also
holding the users email, the notification feature will work correctly with no
modifications.
32
Deployment of TMS with OpenLDAP
However, if different object classes and attributes are required, an XML file
named LDAPSchema.xml should be created and placed in the installation
directory (under BIN)
XML File Structure

This XML file should be strucutured as follows and contain the appropriate
attribute names (in this example, default attributes are displayed).
<Schema>
<NameOfUser>cn</NameOfUser>
<UserEmail>mail</UserEmail>
<UserAccountName>cn</UserAccountName>
<User>organizationalPerson</User>
</Schema>
Performance
For optimum performance, the following attributes should be
indexed:
index member, ou
pres,eq
index cn
pres,eq,sub
index objectClass, entryUUID
eq
This is assuming that the following object classes are used:

organizationalPerson, organizationalUnit, groupOfNames where cn is the
unique identifier for users and groups, and ou is the unique identifier for OU.
In any other namespace configuration, indexing should be modified
accordingly.
33
Chapter 6
Installation
This chapter describes the installation of TMS.
Installation Components
264H
Installing the TMS Server Component
265H
Installing the TMS Management Station Component
26H
Installing the TMS Client Component
267H
Migrating from TMS 1.5 to TMS 2.0
268H
Removing TMS 1.5
269H
Migrating OTP Connector
34
270H
Upgrading to TMS 2.0 SP3

271H
Install the following eToken TMS components:
Server
Management Tools
Client
Schema Modification Scripts
TMS installation components

Component
File
Comments
Server
TMS_server_2.0.msi We recommend running a dedicated
TMS (IIS) Server.

Install the TMS on the required server.
This must be a member server running
IIS on which the TMS web application will
be installed. One or more such servers
may be installed in the organization.
For Windows 2000 advanced server with
IIS 5 the following security policy should
be defined in the IIS user for all the TMS
web sites to be available:
Impersonate a client after authentication
For more information see:
http://support.microsoft.com/kb/824308.
Management
TMS_management
Install on every workstation from where
Tools
_2.0.msi
the administrator will access the TPO

editor.
Client
TMS_client_2.0.msi
Install the Self enrolment tasks, on every

workstation where the TMS web sites are
used or any client where the TMS
desktop agent is intended to be used.
Schema
TMS_schema_install Install on the shadow domain, domain
Modification
_2.0.msi
Scripts
controller. Includes only the scripts

required to modify the domain schema.
51
Schema Modification Scripts

The schema modification scripts create the required changes in the Active
Directory (AD) schema prior to running the TMS Configuration Wizard. This
means that the schema will not be changed during the TMS Configuration.
This is required only if the system administrator wants to prevent users from
making changes to the schema when they configure TMS.
To run the schema modification scripts:
1. Run TMS_schema_install_2.0.msi
This installs:
C:\Program Files\Aladdin\eToken\Tms20\Bin\schemaInstall.vbs
2. Run the following command:
Cscript.exe schemaInstall.vbs [domain name] /AD
Note: To run the schema modification script, the permissions must allow
making changes to the schema.
Silently Installed Component

ASP.NET.AJAX is installed together with TMS.
ASP.NET.AJAX is a free framework for quickly creating a new generation of
more efficient, more interactive and highly-personalized Web experiences
that work across all the most popular browsers.
Installing the TMS Server Component

The TMS server must be installed before the other components.
To install TMS on the server:
1. Double-click TMS_server_2.0.msi.
The installation wizard opens.
2. Follow the instructions on the screen.
3. After the wizard completes the installation, click Finish to exit.
The TMS Configuration Settings Wizard opens (see page 49).
27H
4. To start the configuration click Next, or click Cancel to configure TMS

later.
36
Installation
Note: We recommend completing the TMS configuration at this time.

However, the configuration can be performed later using the TMS
Configuration Tool.
Installing the TMS Management Station

Component
To install TMS on the management station:
1. Double-click TMS_management_2.0.msi.
2. Follow the instructions on the screen.
3. After the wizard completes the installation, click Finish to exit.
Installing the TMS Client Component

Note: If you are installing the TMS Client on Windows Vista, the TMS
Management Center and TMS Self Service Center must be set as trusted sites.
To install TMS on the client:
1. Double-click TMS_client_2.0.msi.
37
2. Click Next
The License Agreement window opens.
3. Select I accept the license agreement and click Next.

The TMS 2.0 Client Setup window opens.
4. Select the required installation type and click Next.
38
Installation
If you select the Custom installation, The Select Features window opens.
5. Select one or both of the available options:
DesktopAgent
WebClient
6. Click Next.
The Ready to Install the Application window opens.
39
7. Click Next.
When installation is complete, the TMS 2.0 Client has been successfully
installed window opens.
8. Click Finish to exit the Wizard.

To upgrade from TMS 1.5 to TMS 2.0, install version 2.0 and then run the
TMS Migration Wizard.
TMS 1.5 and TMS 2.0 can coexist in the same domain and even on the same
computer. This enables you to run TMS 2.0 and TMS 1.5 concurrently before
you convert your installation to TMS 2.0 only.
Note: The user running the migration must be a member of the 1.5
TmsAdmins group.
To migrate from TMS 1.5 to TMS 2.0:
1. Run MigrationWizard.exe.
(The default folder is C:\Program Files\Aladdin\eToken\Tms20\Bin)
40
Installation
The TMS Migration Wizard opens.
2. Click Next.
The Production Domain window opens.
3. Select the domain used by TMS 1.5 and click Next.
41
The TMS V1.5 Data Storage window opens.
4. Select the TMS V1.5 data storage location and click Next.
If you selected Shadow Domain, in the TMS V1.5 Data Storage window,
the Shadow Domain window opens.
5. Click Next.
42
Installation
The TMS V2 Connection window opens.
6. Select the type of TMS V2 database, and click Next.

If you selected ADAM instance, in the TMS V1.5 Data Storage window,
the ADAM Server window opens.
7. Enter the TMS 2.0 ADAM server and the ADAM service port number and
click Next.
43
The Migration Sources window is displayed.
8. Select any combination of the objects to be migrated from TMS 1.5 to TMS
2.0 and click Next:
Migrate global TMS configuration
Migrate policies
Migrate users & tokens
Note: Security properties of the TPO or GPO are not migrated. Only the
authenticated users rule is migrated.
44
Installation
The Users Location window opens.
9. Select one of the following and click Next:
I want to migrate entire domain
I want to select users container manually
The Override Flags window opens.
45
10. Select one of the following override policies for the TMS 1.5 to TMS 2.0
migration and click Next:
Never override existing object
Override existing object when newer
Always override existing object
The Process window opens.
11. When the database migration processes are completed, click Next.
46
Installation
The Wizard complete window opens.
12. Click OK to exist the Wizard.

The migration from TMS 1.5 to TMS 2.0 is complete.
Removing TMS 1.5

When you remove TMS, choose whether to delete or maintain the database in
the domain. If you delete the database, all information about users and
eTokens is lost.
Note: Remove TMS 1.5 only after ensuring that TMS 2.0 is working as
required. You are advised to wait for a few months before removing TMS 1.5
To remove TMS 1.5 from the domain:
1. From the windows Start menu select
Programs>eToken>TMS>TMS>DB Tools.
2. In the Uninstall tab, select Remove and click Next.

The eToken TMS 1.5 Uninstall Wizard opens.
3. Click Next and follow the wizard instructions.
4. When the uninstall process is complete, click Finish to exit the wizard.
47
Migrating OTP Connector

1. Create in the TMS installation folder a subfolder named OtpMigration
2. Copy the active OTP key file to the OtpMigration folder and rename the
file keys.osk
The original file should be located at:
C:\Program Files\Aladdin\etias\encryption\current\kes.osk
Upgrading to TMS 2.0 SP3

The following upgrade packages support upgrade from TMS 2.0 (GA), TMS 2.0 SP1
and TMS 2.0 SP2:
48
TMS Server update package (TMS2SrvSP3.msp)
Management tools update package (TMS2MgmtSP3.msp)
TMS Client update package.(TMS2ClientSP3.msp)
IAS extension update package (TMS2IasSP3.msp)
Chapter 7
TMS Configuration
The TMS Configuration Wizard opens immediately after the installation
process is complete. Also, you can configure TMS later.
This chapter contains:
Opening the TMS Configuration Settings Wizard
273H
Configuring TMS for Active Directory
274H
Configuring TMS for OpenLDAP
49
275H
Configuring TMS for MS SQL Server

276H
Opening the TMS Configuration Settings Wizard

The TMS Configuration Settings Wizard opens automatically after the TMS
2.0 Server Installation Wizard closes.
The configuration wizard helps you configure the settings with step by step
instructions.
You can configure TMS at a later time but we recommend doing this
immediately.
To open the TMS Configuration Settings Wizard:
Select Start>Programs>eToken>TMS2.0>TMS Configuration Tool.
The TMS Configuration Settings Wizard opens.
Configuring TMS for Active Directory

To configure TMS with the wizard:
1. To run the wizard, in the TMS Configuration Settings Wizard window
click Next.
50
TMS Configuration
The Production Domain window opens.
2. Select the domain where the users have to be managed and click Next.
The TMS Data Storage window opens.
3. Select the TMS data storage destination and click Next.

Select the data storage based on your installation configuration:
Production (AD)
51
Shadow (AD)
Shadow (ADAM)
The TMS Services Account window opens.
4. Enter the account to be used for TMS operations.

Note: The account does not have to be an administrator account, but
must have enough privileges to run the connectors (for information on
User Permissions see page 253).
27H
5. Enter the TMS service account password, confirm and click Next.
52
TMS Configuration
The Connectors window opens.
6. Select the connectors to be installed and click Next.

The Create New Authorization Management Store opens.
7. Select one of the following locations for the Authorization Management

Store (the authorization database used by TMS):
Active Directory: enter the LDAP path of the Active Directory
XML File: enter the file system path to the XML file (this is the only
option available if the domain functional level is not 2003).
53
Note: Active Directory storage does not modify the schema. It is available
only with Windows 2003 Function Level. We recommend using this
option if more than one TMS server is to be installed, to ease database
sharing.
8. Click Next.
The TMS Service window opens.
In the TMS Service window, you can set the frequency of the service (see
The TMS Backend Service on page 175).
278H
279H
9. If required select Activate TMS service on this server.

10. If required select Enable Scheduling and select one of the following:
Periodically: enter every number of hours.
Daily: enter the time at which scheduling is to performed
Weekly: enter the day of the week when scheduling is to performed
11. Select Next.
54
TMS Configuration
The Attendance Reports Configuration window opens.
12. Select from the following options:
I will not use this feature
I will use this feature and have a default installation of SQLEXPRESS

on this machine
I will use this feature and would like to connect to the following
database server: enter the URL to the database server
13. Click Next.
55
The Installation Details window opens
14. Select Next to confirm the installation details.

The Install window opens and the installation process starts.
15. When the installation is complete, click Next.

The Post Installation Operations window opens.
56
TMS Configuration
16. Select one or both tasks to be performed and click Next.

If both tasks (Authorization Manager and TPO Editor) are selected, the
TMS Roles window opens first.
17. Start editing TMS Roles by clicking Launch Roles Editor and click
Next.
57
The TMS Authorization Manager opens.
18. Configure the Roles (see Defining Roles on page 101).

280H
The Token Polices window opens.
19. Click Edit TPO.
58
281H
TMS Configuration
The TPO Properties dialog box opens.
20. Select a policy in the Token Policy Object Links field and click Edit.
The Token Policy Object Editor opens.
21. Configure the TPO settings (see page 83).

28H
59
Configuring TMS for OpenLDAP

click Next
The Production Type window opens.
2. Select OpenLDAP Production Domain and click Next.

The OpenLDAP Directory window opens.
60
TMS Configuration
3. Click the Browse button next to the Select Directory field.

The Select OpenDLAP window opens.
61
4. Complete the fields as follows:

Field
Description
Server
Enter the IP address of the OpenLDAP

server
Port
Enter the OpenLDAP port. This is

determined when the OpenLDAP is
configured.
Naming Context
Click the browse button and select the

required naming context.
Simple Binding using
Select this option to connect to the
Anonymous User
OpenLDAP without a user and password.

This is possible only if this option is enabled
in the system.
Simple Binding using the
Select this option to connect to the
Following User
OpenLDAP using the User DN and Password.

Enter the User DN and Password in the
62
TMS Configuration
Field
Description
appropriate fields.
5. Click OK.
You are returned to the OpenLDAP Directory window.
6. Click the Validate button.

The connection to the OpenLDAP is validated and the instance name is
entered in the Instance name field.
63
7. Click Next.
The Authentication Plug-in window opens.
64
TMS Configuration
8. Click Browse and navigate to the Authentication plug-in file.

Note: Contact eToken technical support for assistance in creating the
Authentication plug-in file It is required to enable the user to log on to the

TMS Management Center, the TMS Remote Service Center, the TMS SelfService Center and TPO. This is because the AD is not avaiable provide
the mechanism for authenticating user name and password. Also for SQL
The ADAM Server window opens.
65
9. In the ADAM server field, enter the name of the sever where ADAM is
located.
10. In the ADAM service port number field, enter the ADAM port number.
11. Click Next.
The TMS Services Account window opens.
66
TMS Configuration
12. In the Use this account field, enter the account to be used for TMS
operations.
13. Enter the password and confirm.
Note: The account does not have to be an administrator account, but
must have enough privileges to run the connectors (for information on
User Permissions see page 253).
283H
Also, some actions involving external entities, such as Certification

Authorities, may require additional permissions.
14. Click Next.
The TMS Roles Account window opens.
The user selected in this window is granted permissions to use TPO and
the TMS Management Center.
67
15. Enter the user in the Default authorized user field or click the Browse
button.
If you clicked the Browse button, The Select User or Group window
opens.
16. Enter a user name in the Enter the object name to select field and click
Check Names.
68
TMS Configuration
If more than one match is found for the entered name, a list of matching
names is displayed.
17. Select the required name and click OK.

The selected user is displayed in the Enter the object name to select field.
18. Click OK.

The selected user is displayed in the Default authorized user field.
69
19. Click Next.

The Connectors window opens.
70
TMS Configuration
20. Select the connectors to be installed and click Next.

The TMS Roles window opens.
71
21. In the Store the XML file in the following directory field, enter the path to
the XML role management file and click Next.
Tip: This XML file contains the mapping between TMS users, groups and
policy objects and existing entities in the Open LDAP.

The TMS Service window opens.
In the TMS Service window, you can set the frequency of the service (see
The TMS Backend Service on page 175).
284H
72
285H
TMS Configuration
22. If required select Activate TMS service on this server.

23. If required select Enable Scheduling and select one of the following:
Periodically: enter every number of hours.
Daily: enter the time at which scheduling is to performed
Weekly: enter the day of the week when scheduling is to performed
24. Select Next.

The License window opens.
73
25. Do one of the following:
If you are evaluating TMS, select I will use the 90 days evaluation
license.
If you have a license, select I will use the following license provided
by Aladdin and past the license number into the field.
26. Click Next.

The Installation Details window opens.
74
TMS Configuration
27. Select Next to confirm the installation details.
75
The Install window opens and the installation process starts.
28. When the installation is complete, click Next.

The Installation Completed window opens.
76
TMS Configuration
29. Click OK to complete the configuration process.
Configuring TMS for MS SQL Server

click Next
The Production Type window opens.
77
2. Select Relational Database and click Next.

The Relational Database window opens.
78
TMS Configuration
You can connect to the SQL Server by selecting the SQL Server name or,
alternatively, you can connect through an ODBC connection.
Tip: For information about creating an ODBC connection, refer to
Microsoft documentation.
3. To connect to the SQL Server, select SQL Server and click Browse.
4. To connect through ODBC, go to step 8
286H7
The Select SQL Server window opens.
79
5. In the Select server name field, select the required server from the list.
6. Select one of the following:
Use Windows Authentication
Use SQL Sever Authentication ( if selected, enter user name and
password)
7. In the Selected database field, select the required database from the list
and click OK.
You are returned to the Relational Database window.
Go to step
8. To connect through ODBC, select ODBC and click Browse.
The Select ODBC Data Source opens.
9. Select the required ODBC data source and click OK
You are returned to the Relational Database window.
10. In the Relational Database window click Validate.
The system validates the connection and returns the instance name.
80
TMS Configuration
11. Click Next.

The Authentication Plug-in window opens.
The remaining steps are the same as described for the OpenLDAP
configuration. Continue from step 8 on page 65.
28H
289H
81
Chapter 8
Post-Installation Configuration
After installation, Aladdin eToken TMS needs to be configured according to
the requirements of your organization.
We recommend that the complete configuration of the TMS be completed
immediately after the installation using the Configuration Wizard (see page
49).
290H
However, the configuration can also be performed at a later time. You can also
edit and modify the settings created during the first run of the configuration
wizard.
Configuring TMS Policy Settings for Active Directory
291H
Configuring TMS Policy Settings for MS SQL Server and OpenLDAP
83
29H
Editing TMS Settings

293H
Configuring TMS Policy Settings for Active

Directory
If you are using Active Directory (AD) or ADAM as your user store, the TMS
policy settings are configured in the Token Policy Object Editor.
To configure TMS policy settings:
1. From the Windows Start menu, go to Programs > Administrative
Tools > Active Directory Users and Computers.
The Active Directory Users and Computers window opens.
2. Right click production.com in the tree node of the navigation pane and
select Properties from the dropdown menu.
75
The Properties dialog box opens.
3. Select the Token Policy tab and click Open.
86
The Token Policy Object dialog box opens.
4. Select the Default Policy and click Edit.
87
The Token Policy Object Editor window opens.
5. Configure the TPO rules/settings (see TPO Settings on page 132).

294H
88
295H
Configuring TMS Policy Settings for MS SQL

Server and OpenLDAP
If you are using MS SQL Server or OpenLDAP as your user store, the TMS
policy settings are configured in the TMS Policy Manager.
To open the TMS Policy Manager:
1. Click the ProductionEditor.exe file
(default path: C:\Program Files\Aladdin\eToken\Tms20\Bin)
The TMS Policy Manager opens.
2. Right Click on the TMS Policy Manager node, and select Connect to
Domain.
The Connect to <domain name> instance window opens.
The Authentication instance <domain name> window opens.
89
3. Enter the user name and password and click OK.

The TMS Policy Manager displays the domain and its organizational units
(OU).
4. Right click on one of the nodes and select Properties.

The <domain name>TPO Properties window opens.
90
5. Select the policy and click Edit.

91

296H
92
297H
Editing TMS Settings

The following TMS settings can be edited with the TMS Configuration tool:
Security Keys
TMS Public Key
Connectors
Roles
Backend Service
To open the Edit TMS Settings screen:
From the Windows Start menu, go to Programs > eToken > TMS 2.0 >
TMS Configuration Tool.
The Edit TMS Settings window opens.
Configuring Security Keys

The Security Keys encrypt TMS data in the Active Directory. These keys can
be exported or imported.
These are often configured for renewal every year. The Security Keys option in
the Action dropdown menu are enabled only when there are keys due for
renewal (once a year).
You can do the following with the Security Keys:
75
Renew Keys : enabled only if there are tokens to be renewed
Export Key
Import Key
To configure the Export Keys:

1. From the Windows Start menu, go to Programs > eToken > TMS 2.0 >
2. From the Action menu, select Security Keys.
The Security Keys options open.
3. Select the Export Keys option.
94
The Export File window opens.
4. Enter the file path to be exported or browse to the required file and click
Next.
The Export Password window opens.
5. Enter the password, confirm it and click Next.
95
The file is exported and the Export Completed window opens.
6. Click OK to exit from the Edit TMS Settings window.

To configure the Import Keys:
1.
TMS Configuration Tool
2. From the Action menu, select Security Keys.

3. From the Security Keys options, select the Import Keys.
The Import File window opens.
96
4. Enter the path to the source file or browse for the required file and click
Next.
The Import Password window opens.
5. Enter the password that was set when this file was created and click Next.
97
The Key is imported and the Import Completed window opens
6. Click OK to exit the window.
Configuring TMS Public Key

The TMS Public Keys are used by the TMS client for sending data to TMS.
They can be renewed using the TMS Public Keys and also the Security Keys. If
there are no keys to renew, then this option is disabled.
To configure the TMS Public Key:
1.
2. From the Action menu, select TMS Public Key.

3. Select the only option of TMS Public Key, Renew Keys.
98
Configuring Connectors
To configure the connectors:
1. From the Windows Start menu, go to Programs > eToken > TMS 2.0 >
2. From the Action menu, select Connectors.
3. Click Add New Connector.
99
The list of available connectors in the TMS (BIN) opens.
4. Enter file name and click Open.

5. If you enter a wrong name for the connector, an error message appears.
TMS Roles Overview

TMS encompasses three levels of assignments, built into a hierarchical
structure:
Roles: Level 1 activity (group of tasks)
Tasks: Level 2 activity (operation or group of operations)
Operations: Level 3 activity (single action)
TMS Assignments
100
The lowest level in the hierarchy is Operations. They operate as a series of

building blocks with the lowest level being a single operation. A Task consists
of one or more Operations and may include other Tasks. A Role is generally
performed by a single person (for example, an administrator) and is made up
of a number of Tasks and Operations.
TMS Predefined Roles

TMS is configured with three predefined roles:
TMS Administrator: allowed to perform all TMS tasks
TMS Helpdesk: allowed to perform all TMS tasks except modifying TPOs
TMS End User: allowed to use all self service options on the eToken
Remote Help Center web site and the eToken Administration center.
Defining Roles
Use the TMS Authorization Manager to:
Define roles and tasks,
Allocate role assignments
Create additional roles, tasks, operations and role assignments
You can modify roles according to the different applications in

TMS:
TMS Management Center
TMS Self Service Center
TMS Remote Service Center
To Configure TMS Roles:

1. From the windows Start menu, go to Programs>eToken >TMS 2.0>
2. On the Action menu, select Roles, and then click Edit Roles from the
available choices.
101
The TMS Authorization Manager opens.
3. Select eToken Management Center, and click New Scope on the Action
menu.
102
The New Scope window opens.
4. Select one of the following containers to which the role will be applied:
Domain
Organizational Unit (OU): browse to the OU
Group: browse to the group
5. Type a description and click OK.

To create a new role definition:
1. In the TMS Authorization Manager navigation pane, right-click Role
Definition, and click New Role Definition.
103
The Role Definition window opens.
2. Enter the Name and Description of the new role definition and click Add.
The TMS Administrator Definition Properties window opens.
3. In the Definition tab, click Add.
104
The Add Definition window opens.
4. Select the roles to be added.

The selected Roles are added to the Role Definition window.
To create a new task definition:
1.
In the TMS Authorization Manager navigation pane, right-click Task

Definition, and click New task definition.
105
The New Task window opens.
2. Enter the Name and Description of the new role definition and click
Add.
To change the Role Store:
1. From the windows Start menu, go to Programs>eToken >TMS 2.0> TMS
Configuration Tool.
2. On the Action menu, select Roles, and then click Change Role Store from
the available choices.
106
The Create New Authorization Management Store window opens.
3. Select where you want to create the store and click OK.
Configuring Backend Service

To configure the Backend Service:
1.
From the windows Start menu, go to Programs>eToken >TMS 2.0> TMS

Configuration Tool.
2. On the Action menu, select Backend Service, and then click Change
Schedules.
The Change TMS Service Scheduling window opens.
107
3. Select the scheduling frequency from the available options:
Periodically: specify the number of hours after which the scheduling is

to occur
Daily: specify the time at which scheduling is to occur
Weekly: specify the day of the week and the time at which scheduling
is to occur
Clearing Attendance Reports History

To clear attendance reports history:
1.

Configuration Tool.
2. On the Action menu, select Attendance Reports > Clear History.
108
Viewing License
The Administrator can view the License details in the License Details window.
1. From the windows Start menu, go to Programs>eToken >TMS 2.0> TMS
Configuration Tool.
2. On the Action menu, select License > View.
The License Details window opens with the details of the current license.
Upgrading License
If the Administrator requires to upgrade the License, he/she can do so in the
Upgrade License window.
109
To upgrade the license:

1.

Configuration Tool.
2. On the Action menu, select License > Upgrade.
The Upgrade License window opens.
3. Enter the new license string provided by Aladdin, click Set License and
click Close to exit the window.
Editing the TMS

You can edit the settings created by the first run of the configuration wizard,
as follows:
110
Configure the Token Policy
Re-run the configuration wizard on a new domain
Configure TMS service account or update password
Configuring Token Policy

To modify Token Policy:
1.
From the Windows Start menu, go to Programs > Administrative Tools

> Active Directory Users and Computers.
The Active Directory Users and Computers window opens.

2. Right click production.com in the navigation pane and select
Properties from the dropdown menu.
The Properties dialog box opens.
3. Click the Token Policy tab. and click Open in the dialog box that opens.
The Token Policy Object dialog box opens.
4. Select the Default Policy and click Edit.
The Token Policy Object Editor dialog box opens.

298H
29H
Re-running the TMS Configuration Wizard

To re-run the TMS Configuration Wizard:
1. In the windows Start menu, go to Programs>eToken >TMS 2.0> TMS
Configuration Tool.
111

2. In the General menu, click New Configuration.
The TMS Configuration wizard opens.
3. Run the wizard (see page TMS Configuration page 49).
30H
301H
Configuring the TMS service account and password

To configure the TMS service account and password:
1. From the windows Start menu go to Programs>eToken >TMS 2.0> TMS
Configuration Tool.
2. In the General menu, click Change TMS Services Account.
The Change TMS Services Account dialog box opens.
3. Browse to the account, enter the password, confirm the password and
click OK.
112
Chapter 9
Defining Token Policies
After installing the TMS, you should define the user profiles as required by
your organization.
TMS extends the Microsoft Active Directory Users and Computers snap-in by
installing several snap-in extensions.
Un d e r s t a n d i
TPOs
The Microsoft Active Directory Users and Computers Snap-in
30H
Configuring TPO Objects
304H
Specifying TPO Scope
ng
305H
TPO Settings
306H
114
Understanding TPOs
When defining resources for users in the organization, Aladdin eToken TMS
follows the Microsoft concept of objects. In Microsoft they are known as
Group Policy Objects (GPO). In TMS they are called Token Policy Objects
(TPO).
For more information on GPOs, and Organizational Units (OUs), refer to
Microsoft Active Directory documentation.
This document assumes you are familiar with the general Active Directory
(AD) concepts such as Organizational Units (OUs), GPO, Active Directory
user, Domain, AD groups, and AD security list.
TMS System Objects
TPO Overview
TPO (Token Policy Object) is an Active Directory object that contains TMS
connector rules definitions. It operates exactly the same way that a GPO
would operate.
In TMS, a new TPO tab on the containers Properties window is added.
TPOs contain exactly the same type of connector rules and may be attached to
zero or more OUs or Domains, in exactly the same way as a GPO would be
attached to them.
114
Note: When working in Shadow mode, it is possible to work only with TPOs.
The Microsoft Active Directory Users and

Computers Snap-in
The Microsoft Active Directory Users and Computers snap-in is an MMC
Snap-in provided by Microsoft. This snap-in is the standard tool on Windows
2000 Server, Windows 2003 Server, or Windows XP work station that has the
Admin Pack installed. It enables the system administrator to manage the
users, groups and organization units in an Active Directory domain.
To activate the Active Directory Users and Computers Snap-in:
From the start menu, select Programs > Administrative Tools > Active
Directory Users and Computers.
The Active Directory Users and Computers Snap-in opens.
Configuring TPO Objects

Use the TPO editors to define connector rules for enrollment and editing
many of the enrollment process parameters.
TMS installs a dual-mode Snap-in into the operating system. The snap-in
extends the GPO editor to enable the administrator to create and add
connector rules and enrollment rules. This snap-in is actually the TPO editor
when it is opened as a stand-alone MMC snap-in.
115
Note: To use the TPO editor, you must have the necessary permissions to the
Authorization Management Store (Active Directory or XML file). For details

about setting user permissions, see User Permissions, page 241.
307H
To open the TPO Editor:

1. From the Start menu, go to Start >Programs > Administrative Tools >
Active Directory Users and Computers.
2. Select the Organization Unit to which you want to assign the TPO.
Note: If you want to assign the TPO to all the users in the domain, you
must select the domain itself from the tree control.

3. Right-click the selected container in the navigation pane and select
Properties menu item from the drop-down list.
116
The Organization Units Properties dialog box opens.
4. Select the Token Policy tab and click Open.

The TPO Policy Object dialog box opens.
117
5. Select the policy object and click Edit.

Note: The order of the Token Policy Object Links is important. In case of a
conflict between policies, the system will follow the policy definition of the
upper object. To change the order of the Token Policy Objects, select an
object and move it by using the Up and Down buttons.
118
The eToken Policy Object Editor opens.
For details on editing a TPO, see TPO Settings on page 132.

308H
309H
Propagating TMS Server Name

The TMS server name should be known to all domain users. This can be done
using the Administrative Templates (ADM) file. This file allows the users to
handle the registration keys of the entire domain.
Aladdin provides the ADM files to propagate the TMS Server name to all the
domain users.
To provide the ADM file to domain users:
2. Right-click the domain, and click Properties.
119
The Organization Units Properties dialog box opens.
3. Click the Group Policy tab.

The GPO Links dialog box opens.
120
4. Click Edit.
The GPO Editor opens.
121
5. Right-click Administrative Template in the navigation pane and click

Add/Remove Templates...
The Add/Remove Templates dialog box opens.
122
6. Click Add and navigate to the file in which the TMS files are placed.
For example: C > Program Files > Aladdin > eToken > Adm > Tms.adm.
7. In the GPO Editor select Computer Configuration>Administrative
Templates>Token Management System.
8. The Token Management System Settings window opens.
The right pane of the TMS Settings window displays all the server settings as
shown in the following table.
9. To change a setting, right click on the setting icon, select Properties and
make the required changes described as follows:
123
TMS Servers
Settings
Description
Default TMS
The URL of the default server in the organization
server
The URL uses the following syntax:

http://computername where computername is the computer
104H
where IIS and TMS Server are located.

TPO server
The URL of the server running the TPO editor web service.
Use this setting only if it differs from the default TMS server.
Desktop Agent The URL of the server running the Desktop Agent web
server
service. Use this setting only if it differs from the default TMS
server.
HelpDesk
The URL of the server running the TMS Management web site.
server
Use this setting only if it differs from the default TMS server.
Proxy server
The address/port of the proxy server in the format proxy:

port. If port is emitted the default port will be used (80). If
empty, no proxy, ignore all other parameters. If set to
<CURRENT_USER> the settings will be taken from the
Internet Explorer.
Proxy user
Proxy username if required
Proxy
Proxy password if required
Password
Note: The settings are updated at the next group policy update. To run a
group policy update immediately, run the following command:

gpupdate \force
Performing Other Actions on the TPO

A number of other actions can be performed within the Properties dialog box.
To create a new TPO object:
1. In the Token Policy Object editor, click New.
124
A New Token Policy Object is added to the Token Policy Object Links.
2. Enter a name for the new Token Policy Object, and click OK to exit the
window.
To add a policy object:
1. In the Token Policy Object editor, click Add.
The Add a Token Object link dialog box opens.
2. Enter a name for the added policy object and click OK to exit the dialog
box.
125
To delete a TPO object:

1. In the Token Policy Object editor, click Delete.
The Delete dialog box opens.
2. Select one of the options:
Remove the link from the list to delete the link from the specific OU
TPO
Remove the link and delete the Token Policy Object permanently
to delete the link entirely from the system

3. Click OK.
To check the policy options of the new TPO:
1. In the Token Policy Object editor, click Options.
The New TPO Options dialog opens.
2. Select the required option and click OK.

To check the new TPO properties:
1. In the Token Policy Object editor, click Properties.
126
The New Token Policy Object Properties dialog box opens.
2. Click the Apply to tab.

The Default policy Properties dialog box opens.
127
3. Click Add.
The Select User or Group dialog box opens.
4. Enter:
The object type
From which location
Name of the object
5. Click OK to exit from the dialog box.
Specifying TPO Scope

By default, each connector rule applies to all users of all organization units or
domain (and their child units) linked to the TPO containing the rule.
You can limit the scope of connector rules. This requires filtering out certain
users from being included in the defined parameters. This can be achieved in
a number of ways:
Control TPO scope with the Security tab
Use TPO Block Policy Inheritance flags
Use TPO No Override flags
Use TPO Disable flag
Controlling TPO Scope with the Security Tab

When using a production domain, each TPO has a security list that may be
used to filter out users.
128
To filter out users:

1. From the Start menu, go to Programs > Administrative Tools > Active
Directory Users and Computers.
2. Right-click the Organization Unit and select Properties.
The Properties window opens.
3. Click the Token Policy tab and click Open.

4. Select the required Token Policy Object Link.
5. If the TPO does not exist, click New to create one.
129
6. Click Properties to open the Policy Properties dialog box, and select the
Security tab.
7. In the Group or user name box, select a group or user and in the
Permissions for Administrator box, clear the Allow value from the
attribute Apply Token Policy.
8. Click Add to add users to the security list to which you want the amended
TPO to apply.
The Select Users, Computers, or Groups dialog box opens.
9. Enter the Users and Group to be added to the security list.

10. When the list is complete, click OK.
130
The Default Token Properties dialog box opens.

11. Select the new users and give them access to the TPO by selecting the
Apply Token Policy checkbox in the Permissions for Administrator box to
Allow.
Note: You can also filter users out by adding them to the list and setting
the value of the Apply Token Policy attribute to Deny.
Block Policy Inheritance

The Block Policy Inheritance is a flag defined by Microsoft for each
Organization Unit and can be set on the Token Policy tab of the Organization
Unit Properties dialog box by selecting the Block Policy inheritance check box.
Setting this flag will cause all the OU users not to get any TPO definitions
from parent OUs of the current OU whose flag is set.
TMS enrollment process supports this flag. For more information about the
flag please refer to Microsoft documentation.
No Override
The No Override is a flag defined by Microsoft and relates to any single line
between an OU and TPO. The flag can be set in the Options dialog box that is
opened from the OU Properties Token Policy tab by selecting Option When
this flag is set, child OUs of the current OU will not be able to override any
TPO definitions of the OU. The No Override flag has a higher priority than the
Block Policy Inheritance flag.
TMS enrollment process supports this flag. For more information about the
flag please refer to Microsoft documentation.
TMS defines this flag with the same name that applies to TPOs and can be
viewed and set in the TPO Options dialog box.
131
TPO Disable
The TPO Disable flag enables an administrator to temporarily disable a link
between an OU and a specific TPO. The flag can be set in the Options dialog
box that is opened from the OU Properties Token Policy tab by selecting
Options.
TPO Settings
TPO Settings are important for determining how TMS controls and executes
policies. There are a number of default settings that operate once TMS is
installed. The Administrator must determine if these defaults are suitable
according to organizational policy.
TPOs are divided into different sections. Each section deals with a specific set
of parameters. Each policy can be edited individually. Each section has a
picture of the TPO Editor and a table detailing its name, a description of the
policy and the default setting. The various sections are:
General Settings
see page 136
Connectors Settings
see page 137
eToken Settings
see page 137
Enrollment Settings
see page 144
Recovery Settings
see page 147
Audit Settings
see page 149
TMS Backend Settings
see page 151
Desktop Agent Settings
see page 152
310H
31H
312H
31H
314H
315H
316H
317H
To edit TPO Settings:

1. Open the TPO Editor as described in Configuring TPO Objects on page
115.
318H
319H
The Token Policy Objects Editor opens.
132
2. Select the appropriate section and the policies for that section (Mail
Server) as shown in the right pane.
3. Double-click the required Policy (or select Properties from the right-click
dropdown list).
133
The Mail Server Properties dialog box opens.
Each Policys Properties dialog box displays:
A navigation control: Previous or Next
Policy Name
Policy Icon
Brief description of the policy function
Default setting
A Define this policy setting option to enable the policy
A Mail server field
4. Select the Define this policy setting option to enable it.
134
5. Complete the required details in the Mail server field.
6. If this is the only policy to edit, select Apply and OK to return to the
Token Policy Object Editor.
OR
Select Next to move to the next Policy Properties dialog box.
7. Continue this process for all policies or return to the Token Policy Editor
to select specific policies to edit.
TMS Policy Object
Node
TMS Policy Object
Policy/DN
Description
All TMS policy settings are placed
here
135
General Settings
General Settings define the general settings under its node.
Currently the Mail Server is the only node under the General Settings.
Mail Settings
Node
Policy/DN
Description
Default
Mail
Mail server
Defines mail server address
localhost
Mail sender
Defines from whom TMS emails
tms@tms.com
Server
are sent.
Tip: Check that the email

address is correct. TMS does not
check that a valid email address
format has been used.
Mail server user Defines the user account name
This setting is not
account name
used. Logon to
used for mail server log on
mail server is not

required
136
Node
Policy/DN
Description
Mail server user Defines the user account
Default
This setting is not
account
password used for mail server log used. Logon to
password
on
mail server is not

required
Connector Settings
Connector Settings controls the behavior of applications on the eToken.
Connector settings
Note: Details on configuring connector settings can be found later in this

document.
eToken Settings
eToken Settings controls how TMS sets the eToken properties
Note: Additional settings can be set only in eToken PKI.
137
eToken Setting includes the following nodes:
eToken Initialization: determines how an eToken is initialized in TMS
Password Configurations: controls how the eToken passwords are

initialized
Password Policy: controls the password policy rules
eToken Properties: controls initialization of various eToken properties
Initialization Key: controls the eToken initialization keys
Advanced Settings: controls advanced eToken initialization settings.
eToken Settings
Node
Policy/DN
Description
Default
eToken
Settings
Token name
Defines the eToken
Token name will
for
name before it is
not be changed
unassigned
assigned
tokens
138
Token name
Defines the eToken
Token name will
for assigned
assigned name
not be changed
tokens
template
Node
Policy/DN
Description
Default
eToken
Initialization
Token
Defines eToken
Token will be
backward
backward
backward
compatibility
compatibility
compatible with
RTE versions 3.65
and lower
Passwords
One factor
Configuration
Defines if the Token
Token requires a
requires a user
user password
password to log on
Default user
Defines the default
User password is
password
eToken user
1234567890
password
Password
Policy
Proxy mode
Defines whether
Token does not use
the password policy
proxy mode
parameters are
read from the host
(proxy mode)
Minimum
Defines the
Minimum password
password
minimum length of
length is 4
length
the eToken
password
Password
Defines if the
Password
must meet
password has to
complexity
complexity
meet MS Windows
requirements must
requirements
style complexity
be met
requirements
Maximum
Defines the
Maximum usage
usage period
maximum usage
period is 90 days
period of eToken
password
139
Node
Policy/DN
Description
Default
Minimum
Defines the
usage period
minimum number
Token has no
minimum usage
period
of days before the

eToken password
can be changed
Warn period
Defines how many
User will not be
days before the
warned before
password expires
password actually
that the user
expires
should be warned
Passwords
Defines how many
History size is 15
history size
old passwords
passwords
saved on the
eToken are not
allowed to be
repeated
First logon
Defines if the end
Password change
password
user has to
is not required.
change
change the token
after
password on first
enrollment
logon after
enrollment
Note: Before
using the policy
you must initialize
the token in TMS
or you must
enable the policy
Initialize token
during the
enrollment.
This policy is not
supported by
eToken Virtual.
140
Node
Policy/DN
Description
Default
eToken
Properties
Maximum
Defines the
Maximum user
number of
maximum user
logon failed
user logon
logon failures
attempts is 15
failures
allowed
times
Maximum
Defines the
Maximum
number of
maximum
administrator logon
administrator
administrator logon
failed attempts is
logon failures
failures allowed
15 times
Reserve
Defines if space for
No space is
space for RSA
RSA keys is
reserved for RSA
keys
reserved
keys
Number of
Defines the amount
No space is
RSA keys
of space reserved
reserved for RSA
reserved
for RSA keys
keys
FIPS
Determines if the
Token is not FIPS
compliant
eToken will be
compliant
initialized FIPS
compliant
Initialize the
Determines if
PKCS#11 user PIN
PKCS#11
eToken is initialized
is initialized
user PIN
with PKCS#11 user

PIN
Load 2048-bit
Determines if the
The 2048-bit RSA
RSA keys
2048-bit RSA keys
keys support
support
support module is
module is not
modules
loaded on the
loaded
eToken
Load HMAC
Determines if the
The HMAC SHA1
SHA1 support
HMAC SHA1
support module is
module
support module is
not loaded
loaded on the
eToken
141
Node
Policy/DN
Description
Default
Initialization
Key
Use default
Defines whether
The default
initialization
the default
initialization key is
key
used as the current
used as the current
key
key.
Usually, the default
keys are those
supplied by
Aladdin, so this
policy remains with
its default setting.
Current
Specifies the
The default
initialization
current initialization
key
key if the default
used as the current
initialization key
not used.
This is required if
you have
configured the Use
default initialization
key policy not to
use the default
keys as supplied by
Aladdin.
Create a new
Defines whether a
New initialization
initialization
new initialization
key is not created
key
key is created.
This setting is
enabled if you wish
to create an
initialization key
that can be used
only by TMS.
142
Node
Policy/DN
Description
Default
New
Defines the exact
New initialization
initialization
value of the new
key is not created
key
initialization key.
The Create a new
initialization key
policy must be
enabled if you want
to define a new
initialization key.
The new key can be
used only by TMS.
Select Define this
Policy Setting,
then select one of
the following:
Default: Remain
with default
initialization key
Random: Creates
a randomly
generated
initialization key. If
you loose the key,
the token will be
unusable.
This
Value/Confirm:
Creates a static
initialization key.
143
Node
Policy/DN
Description
Default
Advanced
Settings
Private data
Defines when
Always
caching mode
private data is
cached
RSA keys
Defines how RSA
secondary
keys secondary
authentication
authentication is
mode
used
Never
Enrollment Settings
Enrollment Settings control the eToken enrollment process.
Enrollment Settings includes the nodes:
General Properties
Notification
The Notification settings define the behavior of the Notification Letter.
See also Configuring Enrollment Notification Letters page 155.
320H
321H
Note: The General Properties and Notification Settings are applied only to
the TMS Management Center.
144
Enrollment Settings
Node
Policy/DN
Description
Default
General
Maximum
Sets the maximum
One active token per
Properties
number of
number of non-
user
active tokens
revoked eTokens per
per user
user
Initialize
Determines if the
Tokens will not be
token during
eToken is initialized
initialized during
enrollment
during enrollment
enrollment
Set a random
Determines if a
Random token
token user
random eToken user
password is not set
password
password is set
during enrollment
Random
Sets the random
Random token user
token user
eToken user
password length is 12
password
password length
characters
Random
Defines the random
Random token user
token user
eToken user
password will contain
password
password content
digits only
User
Defines if the user is
End user is not
notification
notified on a new
notified
enabled
eToken enrollment.
length
content
Notification
Note: Will be applied

in the management
site only.
HTML
Specifies the HTML
template file
template file to use
None
for notification
145
Node
Policy/DN
Description
Default
Save
Determines whether
The notification letter
notification
to save the
is not saved
letter
notification letter to
the hard drive
146
Notification
Sets enrollment
letter storage
notification letter
location
storage location
Send
Determines whether
Email notification is
notification
to send a notification
not sent
email
email
Notification
Sets the notification
email subject
email subject
Print
Determines whether
Notification letter is
notification
to print the
not printed
letter
notification letter
Use an
Determines if an
No external program
external
external program is
is used
program
used
Select
Defines which
No external program
external
external program to
is used
program
use
No location required
No subject
Recovery Settings
Recovery Settings sets options for lost eTokens or lost eToken passwords
Recovery Settings
Node
Policy/DN
Description
Default
Recovery
Allow token
Enables creation of
Tokens can be
Settings
unlock
administrator password unlocked

for eToken unlock
Administrator
Defines which
Random administrator
password type administrator password password is used

type to use
Use of eToken
Determines if users are Users are not allowed
Virtual
allowed to have a
to have a replacement
enabled
replacement eToken
eToken Virtual
Virtual
Maximum
Defines the maximum
eToken Virtual usage period for the

usage period
eToken Virtual will

expire after 14 days
replacement eToken
Virtual
147
Node
Policy/DN
Description
Default
eToken Virtual Defines how eToken
eToken Virtual is
download
Virtual is downloaded
downloaded manually
method
to user machine
User
Defines the questions
No questions (users
authentication
to be used for user
cannot authenticate)
questions
authentication
Number of
Sets the number of
No random questions
random
random questions to
used
questions
use for user
used
authentication
Maximum
Sets the maximum
number of
number of
authentication
authentication retries
3 logon attempts
retries allowed to the TMS travel kit

web site
Helpdesk
Sets if user
User authentication is
authentication
authentication is
not required
required
required for Helpdesk

service
Maximum
Sets the maximum
Maximum usage period
password
usage period a
is 3 days
login usage
temporary password
period
can replace a missing

eToken
148
Audit Settings
Audit Settings details where audit information is logged.
149
Audit Settings
Node
Policy/DN
Description
Default
Audit
Audit log
Defines the server
Audit log server
Settings
server
location of the log
Audit log
Specifies which log is
name
use
Audit source
Specifies which source
name
name to use
Administrator
Defines if the
Audit
Notification notification
enabled
Application
TmsAudit
No notification is used
administrator is
notified about audit
events
Administrator
Details the
Administrator is not
notification
administrator
notified
configuration
notification
configuration
User
Defines if the end user
End user is not
notification
is notified about audit
notified
enabled
events related to his

eToken
150
User
Details the end user
End user is not
notification
notification
notified
configuration
configuration
TMS Backend Service Settings

TMS Backend Service settings control configuration of TMS Backend Service
capabilities.
TMS Backend Service Settings

Node
Policy/DN
Description
Default
TMS
Disable
Determines if
Temporary password
Backend
temporary
temporary password
logon is disabled
Service
password
logon is automatically
automatically
Settings
logon
disabled
Revoke open
Determines if open
Open eToken Virtual is
eToken
eToken Virtual is
revoked automatically
Virtual
revoked automatically
Automatically
Determines if the
Token with missing
revoke token
eToken, whose user
user is automatically
with missing
was deleted from AD,
revoked
user
is automatically
revoked
151
Node
Policy/DN
Description
Default
Automatically
Determines if the
Token with disabled
revoke token
eToken, whose user
user is not
with disabled
was disabled in AD, is
automatically revoked
user
automatically revoked
Automatically
Automatically keep
Users data is
synchronize
TMS database
automatically
users data
integrity by
synchronized
synchronizing users
data

Desktop Agent settings control configuration of the TMS Desktop Agent
capabilities.
152

Node
Policy/DN
Description
Default
Desktop
Enable token
Defines whether to
Token update alerts
Agent
update alerts
display alerts to the
are enabled
Settings
user if the eToken

content is not aligned
with definitions or
about to expire
Expiry alert
Defines the number of
Expiry alert starts 30
period start
days to show update
days before token
alert prior to eToken
expires
expiry date
Alert
Defines the message
Your token data
message
the user sees in cases
requires update
of an eToken update
alert
Alert title
Defines the alert
eToken Notification
message title the user

sees in cases of an
eToken update alert
Alert
Determines the action
message click
that occurs when the
action
user clicks the alert
No action
balloon
Detailed
The message
message
displayed when the
Empty
user clicks on the

balloon. Used only if
Click Action is set to
'Show detailed
message'
153
Node
Policy/DN
Description
Default
Action
The website URL to
Not defined
website URL
open when the user

clicks on the balloon.
Used only if Click
action is set to 'Open
website'
Minimum
Defines the minimum
Minimum alert interval
alert interval
interval in days
is 4 days
between two alerts to

the same user
Alert check
Alerts will be checked
Alert check interval is
interval
whenever an eToken
14 days
is inserted or when
the specified number
of days has passed
since the last alert
check (even if an
eToken was not
inserted)
Enable token
Defines whether to
Token
auditing
enable auditing of
insertion/removal
eToken insertion and
auditing is enabled
removal events
154
Chapter 10
Configuring Enrollment Notification
Letters
When the administrator makes a change affecting a user, TMS can generate a
notification letter and perform one of more of the following actions: email it
to the user, save it as a file, print a hard copy.
The notification can include any required text and details such as passwords
and serial numbers which are derived from TMS through the use of key
words.
Main Steps
Enrollment Letter Templates
Keywords
155
Main Steps
To set up and configure enrollment or audit notification letters you must
perform the following steps:
Configure the Enrollment Letter or settings in TPO
Edit the letter template
Configuring the Enrollment Letter Settings

The Enrollment Letter Settings in TPO enable you to do the following:
Activate the User Notification function
Select the HTML template file
Save the notification letter at a selected location
Send an email notification to the user, with a specified subject line
Print the letter
Run an application upon notification, and include selected parameters

This refers to any application that has been developed to perform an
action not supported by the standard TMS settings, such as updating a
database upon notification.
Note: For details about changing the settings in TPO, see Enrollment
Settings, page 105.
Editing the Enrollment Notification Letter

Template
Sample templates are provided in the MailTemplates folder, typically located
at : C:\Program Files\Aladdin\eToken\Tms20\MailTemplates
Each template contains text and keywords.
To customize a template, replace the text and add keywords as required.
156
Configuring Enrollment Notification Letters
Enrollment Notification Letter Keywords

The variables are retrieved by TMS from data in Active Directory (AD). If the
data does not exist in AD, it will not appear in the enrollment letter; the
keywords will be displayed instead.
General
Keyword
Description
$Office
Users office location
$User_Email
Users email address
$User_First_Name
Users first name
$User_Last_Name
Users last name
Address
Keyword
Description
$City
City
$Country_Region
Country or region
$State_Province
State or province
$Street
Street name
$PO_Box
Post office box number
$Zip_Postal_Code
Zip code
Organization
Keyword
Description
$Company
Name of company
$Department
Name of department
157
Account
Keyword
Description
$User_Logon_Name
The name the user uses to log on to

an Active Directory domain. Uses
the following syntax:
user@domain.com
$User_Account_Name
The users name using the preWindows 2000 syntax:

domainname\username
Token
Keyword
Description
$etoken_admin_password
eToken administrator password
(This is supported in TMS
Note: The password is retrieved
2.0 SP1 and higher)
only if set to random. This is the

default setting in TPO when
specifying an administrator
password for the tokens.
$Token_Password
eToken password
Note: The password is retrieved
only if set to random.
$Token_Serial
eTokens serial number
Enrollment
158
Keyword
Description
$Enrollment_Date
Date when token was enrolled
$Enrollment_Time
Time when token was enrolled
Configuring Enrollment Notification Letters
OTP Connector
Keyword
Description
$otp_pin
The OTP PIN to be sent to the user

during the enrollment process.
Note: The OTP PIN is retrieved only
if set to random.
159
Chapter 11
Auditing TMS Events
The administrator can use the Event Viewer to see the details of TMS
administration events, and can configure TMS to send email notifications to
end users and administrators.
This chapter contains the following sections:
Configuring Audit Settings for Viewing in Event Viewer
Configuring Audit Settings for Sending Notification Messages
Viewing TMS Events in the Event Viewer
161
Auditing TMS Events
Configuring Audit Settings for Viewing in Event

Viewer
The Administrator can determine which events are displayed in the Event
Viewer.
To configure audit settings for Event Viewer:
1. Open the TPO Editor (See Configuring TPO Objects, page 115 ).
32H
32H

2. Select Audit Settings from the navigation tree in the left pane.
The Policies associated with Audit Settings are displayed in the right pane.
3. Double click the policy, Audit log server, in the right pane (or right-click
and select Properties).
The Audit log server Properties dialog box opens.
162
Auditing TMS Events
The default setting is: localhost.

4. To change the default setting select Define this policy setting, enter
the IP address or server name and click OK.
The policy, Audit log server is defined.
5. Double click the policy, Audit log name, in the right pane (or right-click
The Audit log name Properties dialog box opens.
The default setting is: Application.
163
6. To change the default setting, check Define this policy setting, enter
the log name and click OK.
The policy, Audit log name is defined.
7. Double click the policy, Audit source name, in the right pane (or rightclick and select Properties).
The Audit source name Properties dialog box opens.
The default setting is: TmsAudit.

The audit source name determines the source name displayed in the Event
Viewer.
8. To change the default setting, select Define this policy setting, enter
the audit source name and click OK.
The Audit source name is changed.
Configuring Audit Settings for Sending

Notification Messages
The Audit Notification Settings in TPO enable you to do the following:
164
Activate the User Notification function for administrator and user
Select the HTML template file
Define the administrators or users email address, with a specified subject

line.
Select the events to be included in the notification.
Auditing TMS Events
To Configure the Administrator Notification settings:

324H
325H

2. Expand Audit Settings from the navigation tree in the left pane and select
Audit Notification.
The Policies associated with Audit Settings are displayed in the right pane.
3. Double click the policy, Administration notification enabled, in the

right pane (or right-click and select Properties).
The Administration notification enabled Properties dialog box opens.
165
The default setting is: No notification is used.

4. Check Define this policy setting, select Enabled and click OK.
The policy, Administrator notification enabled is enabled.
Note: If Define this policy setting is not selected and the
Organizational Unit (OU) is a child of another OU, the child OU inherits

the setting of the parent OU. To disable this policy setting without
inheriting the settings from the parent OU, select Define this policy
setting and select Disabled.
5. Double click the policy, Administration notification configuration,
in the right pane (or right-click and select Properties).
The Administration notification configuration Properties dialog box
opens.
The default setting is: Administrator is not notified.

6. Check Define this policy setting, click Add, enter a name for the new
rule and click OK.
166
Auditing TMS Events
The policy, Administrator notification enabled is defined.

7. To make changes to the added rule, click Edit.
The Edit administrator notification rule dialog box opens.
8. Select the required Events.

9. Select the notification for the Event levels (Information, Error ,Warning).
10. To configure email notification, select the Emails tab.
167
11. Click Add and enter the required email address.

12. In the Subject field enter the content of the email subject line.
13. In the Template field enter the path to the email template.
See Configuring the Audit Notification Letter Template, page 171.
326H
327H
14. Click OK
The policy, Administration notification configuration is defined.
To configure the User Notification:
328H
329H

2. Double click the policy, User notification enabled, in the right pane (or
right-click and select Properties).
The User notification enabled Properties dialog box opens.
168
Auditing TMS Events
The default setting is: End user is not notified.

The policy, User notification enabled is enabled.
Note: If Define this policy setting is not selected and the
Organizational Unit (OU) is a child of another OU, the child OU inherits

the setting of the parent OU. To disable this policy setting without
inheriting the settings from the parent OU, select Define this policy
setting and select Disabled.
4. Double click the policy, User notification configuration, in the right
pane (or right-click and select Properties).
169
The User notification configuration Properties dialog box opens.
The default setting is: End user is not notified.

5. Check Define this policy setting, click Add, enter a name for the new
rule and click OK.
The policy, User notification enabled is defined.
170
Auditing TMS Events
6. If it is necessary to make changes to the added Rule, click Edit.

The Edit user notification rule dialog box opens.
7. Select the required Events.

8. Select either/both of the following:
Notify the user about events performed for him
Notify the user about events performed by himself
9. Select for which event levels to send a notification (Information, Error,

Warning).
10. Enter the Subject and Template and click OK.
The policy, User notification configuration is defined.
Configuring the Audit Notification Letter

Template
Sample templates are provided in the MailTemplates folder, typically located
at : C:\Program Files\Aladdin\eToken\Tms20\MailTemplates
Each template contains text and keywords.
To customize a template, replace the text and add keywords as required.
171
Audit Notification Letter Keywords

The variables are retrieved by TMS from data in Active Directory (AD). If the
data does not exist in AD, it will not appear in the notification letter; the
keywords will be displayed instead.
If changes have been made to data in AD, to ensure that the data is available
for inclusion in the user notification letter, run the User Synchronization
process before generating the enrollment letter. For details see Controlling
Backend Services, page 177.
30H
31H
The keys of events as they appear in the Event Viewer can also be used in the
Audit Notification Letter.
Note: In addition to the following audit keywords, the keywords for the
Enrollment Letter can also be used in the Audit Notification Letter. See
Enrollment Notification Letter Keywords, page 157.
32H
3H
Audit
Keyword
Description
$Audit_Category
The application creating the event.

For example: TMS Service, TMS
Management Center, TMS Self Service
Center or Management Tools
$Audit_Date_Time
The time and date of the event
$Audit_Event
The name of the event
$Audit_Message
The message describing the event
$Audit_Type
The event level: Information, Error or

Warning
Viewing TMS Events in the Event Viewer

To view TMS Events in the Event Viewer:
1. Right click My Computer and go to Manage > Event Viewer >
Application > Information.
172
Auditing TMS Events
2. Choose the required event. The event will be stored in TMSAudit in the
Source column of the table in the right pane.
173
The Event Properties dialog box opens.
The Event Properties displays:
174
Date: the date of the event taking place
Source: the place where it is stored
Time: the exact time of the event taking place
Category: the event category
Type: the event type (for example: information)
Event ID: each event has a unique ID
User: user information
Computer: the computer on which the event is recorded
Description: a brief description of the event
Chapter 12
The TMS Backend Service
The Backend Service is used to control the TMS. This chapter describes the
different functions of the Backend Service.
Overview
34H
Controlling Backend Services

35H
175
Overview
The Backend Service generally works in the background, performing different
services as configured by the Administrator.
The different services controlled by the Backend Service Center are:
Disable temporary password logon
Revoke open eToken Virtual
Automatically revoke eToken with missing user
Automatically revoke eToken with disabled user
Automatically synchronize users data
The Backend Service can be controlled as follows:
Start Process
Stop Service
Pause Service
Continue Service
Start Service
To configure scheduling of services:

1.

Configuration Tool.
2. On the Action menu, select Backend Service, and click Change

Schedule.
176
The Change TMS Service Scheduling window opens.
3. Ensure that Enable scheduling is checked and select the scheduling

frequency from the available options:
Periodically: specify the number of hours after which the scheduling is

to occur
Daily: specify the time at which scheduling is to occur
Weekly: specify the day of the week and the time at which scheduling
is to occur

Note: after setting the TMS scheduling you must restart the service for the
changes to take effect.
Controlling Backend Services

To configure the Backend Service:
1. Right-Click
on the taskbar.
The Notification option list opens.
177
2. Select Start Process.

The Start Process sub-options are displayed.
The Start Process sub-options are:
All: Can be used for running the different tasks
Synchronize User Data: Updates user properties which have changed

since the last update
Automatic Revocation When: Automatically revokes the eToken when

the user is either deleted from the AD or the user is disabled in the AD
Revoke Opened eToken Virtual: Revokes all expired eToken Virtuals
Disable Temporary Logon Password: Disables all expired temporary

Logon passwords
Managing Revocation
Automatic revocation is required when the user is deleted from the AD (for
example, the user left the company) or when the user is disabled in the AD
(for example, the user is absent for a long time).
178
Managing Revocation
179
Chapter 13
The TMS Desktop Agent
The Desktop Agent can be used for sending expiry alerts to the Administrator
as well as the user, to audit the removal and insertion of the eToken, and for
downloading the eToken Virtual automatically from the web site to the users
computer.
Note: The TMS Desktop Agent works only when Active Directory (AD) or
ADAM is used as the user store.

Overview
36H
Expiry Alert
37H
Auditing the Removal and Insertion of eTokens
38H
Automatic eToken Virtual Download

39H
181
Overview
The Desktop Agent is an application used to perform a number of operations
as set by the Administrator. It can be installed on the desktops of all users (see
Installing the TMS Client Component, page 37). Every eToken inserted into to
a computer on the network is logged on to the TMS, so the Administrator can
keep records of the number of users logged on at a given time, date, week and
so on.
340H
341H
The operations performed by the Desktop Agent are:
Expire Alert
Audit, Removal and Insertion
Automatic eToken Virtual download
Expiry Alert
The Desktop Agent alerts users when their eTokens are about to expire. The
Administrator can also keep records of when eTokens are expected to expire.
Thus the users and administrators can take timely action.
To configure the Expiry Alert:
115.
342H
34H
2. Select Desktop Agent Settings from the navigation tree in the left pane.
182
The Policies associated with Desktop Agent Settings are displayed in the
right pane.
3. Double click the property, Enable eToken update alerts (or right-click
The Enable eToken update alerts Properties dialog box opens.
The default setting is: eToken update alerts are enabled.

The policy, eToken update alerts is enabled.
5. Double click the property, Expiry alert period start, in the right pane
(or right-click and select Properties).
183
The Expiry alert period start Properties dialog box opens.
The default setting is: Expiry alert starts 30 days before eToken expires.
6. Check Define this policy setting, enter the number of days before
expiry you want to receive the alert and click OK.
You will receive an alert on the requested day as a pop-up balloon.
7. Double click the property, Alert message, in the right pane (or rightclick and select Properties).
184
The Alert message Properties dialog box opens.
The default setting is: Your eToken data requires update.

8. Check Define this policy setting, enter the Alert message you want to
receive (for example, Your eToken expires in 14 days) in the Alert message
text field and click OK.
You will receive an alert, with the text you entered, on the requested day
as a pop-up balloon.
9. Double click the property, Alert title, in the right pane (or right-click and
select Properties).
The Alert title Properties dialog box opens.
185
The default setting is: eToken Notification.

10. Check Define this setting, enter the alert title you want to display (for
example, eToken expires) in the Alert title text field and click OK.
You will receive an alert, with the title you entered, in Bold, on the
requested day as a pop-up balloon.
11. Double click the property, Alert message click action, in the right
pane (or right-click and select Properties).
The Alert message click action Properties dialog box opens.
The default setting is: No action.

12. Check Define this policy setting, select the action from the drop-down
list (for example, Show detailed message) and click OK.
186
You will receive an alert, with the selected action, on the requested day as
a pop-up balloon.
13. Double click the property, Detailed message, in the right pane (or rightclick and select Properties).
The Detailed message Properties dialog box opens.
The default setting is: Empty.

14. Check Define this policy setting, enter the detailed message you wish
to receive and click OK.
You will receive an alert on the requested day as a pop-up balloon. On
clicking the pop-up, another pop-up with the detailed message will open.
187
15. Double click the property, Action website URL, in the right pane (or
The Action website URL Properties dialog box opens.
The default setting is: Not defined.

16. Check Define this policy setting, enter the URL of the site you want
and click OK.
You will receive an alert on the requested day as a pop-up balloon. On
clicking the pop-up, the required website will open.
17. Double click the property, Minimum alert interval, in the right pane
The Minimum alert interval Properties dialog box opens.
188
The default setting is: Minimum alert interval is 4 days.

18. Check Define this policy setting, enter the number of days you want
between two consecutive alerts and click OK.
You will receive the next alert only after the set period of time (see Alert
Interval on page 190).
34H
345H
19. Double click the property, Alert check interval, in the right pane, (or
The Alert check interval Properties dialog box opens.
The default setting is: Alert check interval is 14 days.
189
20. Check Define this policy setting, enter the number of days you want
between two consecutive alert checks and click OK.
Your alerts will be checked whenever the eToken is inserted or after the
set number of days, even if the eToken is not inserted.
Alert Interval
The Alert interval (time between two alerts) can be set using two criteria:
Minimum alert interval
This is for users who require to insert the eToken in their computers a
number of times per day. It is not necessary to inform these users about
the token expiry date every time they insert the token in their computers.
Hence the minimum time period, say seven days. So these users will be
reminded every seven days that their token are about to expire.
Set time interval
Some users require to insert their tokens in their computers only once in
week or month. These users require to be reminded that their tokens are
about to expire, without their having to insert their tokens in their
computers. The Set time interval sets the time between two alerts such
that the reminder appears on their computers even without inserting their
tokens in their computers.
Auditing the Removal and Insertion of eTokens

Auditing the eTokens removal and insertion events enables the Administrator
to keep records of when eToken are in use, what time the maximum eToken
are in use, what days of the week the maximum work is done and so on.
To enable eToken auditing:
115.
346H
347H

2. Select Desktop Agent Settings from the navigation tree in the left pane.
The Policies associated with Desktop Agent Settings are displayed in the
right pane.
3. Double-click the property, Enable eToken auditing, in the right pane
190
The Enable eToken auditing Properties dialog box opens.
The default setting is: eToken insertion/removal auditing is enabled.

Auditing of insertion/removal events is enabled.
Automatic eToken Virtual Download

The Desktop Agent can be used to automatically download eToken Virtual
from the web site into the user desktop or PC.
To configure the eToken Virtual download method:
115. The Token Policy Objects Editor opens.
348H
349H
2. Select Recovery Settings from the navigation tree in the left pane.
The Policies associated with Recovery Settings are displayed in the right
pane.
191
3. Double-click the property, eToken Virtual download method, in the

right pane (or right-click and select Properties).
The eToken Virtual download method Properties dialog box opens.
The default setting is: eToken Virtual is downloaded manually.

4. Check Define this policy setting, and check either of the following:
Manual download: eToken Virtual is downloaded manually
Automatic download: eToken is downloaded automatically
5. Click OK.
The policy, eToken Virtual download method is configured.
192
6. If you selected Automatic Download, the file is downloaded to:

System partition:\Documents and Settings\"logged on user"\Application
Data\Aladdin\TmsDesktopClient\SoftTokens.
Configuring TMS Desktop Agent Web Service

The TMS Desktop Agent Web Services, located on the TMS Server, can be
configured to determine the following:
The path where eToken Virtual is temporarily saved
If the temporary eToken Virtual is removed from the server
The time interval for messages arriving from the token, used to determine
if the token is inserted.
The configurations are set in the web.config file, typically located at:
C:\Program Files\Aladdin\eToken\Tms20\Web\TmsAgent
The configuration settings are added to the <appSettings> section in the
Web.config file using the syntax shown in the following example:
<add key="SoftTokenTempFolder" value="C:\Documents and
Settings\Administrator\Local Settings\Temp">
TMS Desktop Agent Web Services Settings
Key
Value
Description
Default
The path where eToken Virtual
System
is saved temporarily
Temp
Type
SoftTokenTempFolder
Path
directory
DeleteSoftTokenTempFile
Boolean
Determines if the temporary
True
eToken Virtual is removed

from the server
MaxTokenAliveIntervalSec
onds
Integer
Sets the time that if a
message is not received from

the server that the token is
considered removed.
193
Chapter 14
OTP Configuration
The behavior of One Time Password (OTP) can be configured in the web
services located on the TMS server, and in the OTP plug-in on the IAS
(RADIUS) server.
For more details see OTP Authentication for MS IAS Administrators Guide
Version 2.0 SP3.
This chapter contains the following sections:
OTP Web Services Configuration
OTP IAS Plug-In Configuration
Configuring IAS for use with MS SQL Server or OpenLDAP

350H
195
OTP Configuration
OTP Web Service Configuration

The Web Services, located on the TMS Server, can be configured to
determine the following:
The number of blank presses on the token until synchronization with

the OTP server is lost
The number of failed authentications allowed until the token is locked.
Which events to include in audits
Mapping between NetBios names and DNS names
Which groups of users to exclude from OTP
How to check the exclude groups
The refresh behavior of the group preload
The maximum number of update entries permitted before saving to

the TMS database.
The configurations are set in the web.config file, typically located at:
C:\Program Files\Aladdin\eToken\Tms20\Web\OTPAuthentication
The configuration settings are added to the <appSettings> section in the
web.config file using the syntax shown in the following example:
<add key="BlankPresses" value="30" />
Note: These settings can also be configured in the Internet Information
Services (IIS) Manager.

In the internet Information Services (IIS) Manager, navigate to Web
Sites>Default Web Site>OTPAuthentication. Right click on
OTPAuthentication, select Properties and open the ASP.NET tab. Click
Edit Configuration and make the required changes.
TMS OTP Web Services Settings
Key
Value Type
Description
Default
BlankPresses
Numeric
The range of OTP
30
numbers to check. This

determines the number
of blank presses until
synchronization is lost
196
OTP Configuration
Key
Value Type
Description
Default
with the server.

AuthenticationRetries
Numeric
The number of failed
authentications allowed
before the OTP is
locked.
AuditCondition
String
Defines which
OnFailure
authentication events
to include in the audit.
OnFailure When
authentication fails.
Always When
authentication fails or
succeeds.
Never Do not audit.

ExcludeGroupNameX
Replace X by 1, 2, 3
(For example:
ExcludeGroupName1,
ExcludeGroupName2,
etc.)
<exclude group
This determines which
account name>
groups are not enabled
< connection
for OTP.
string name>
None
For example:
Add key:
ExcludeGroupName1
Value: SalesGroup aladdin.org
197
Key
Value Type
Description
Default
ExcludeGroupCheck
String
Determines the
Default(4)
behavior of the exclude

group check.
Values can be comma
separated.
The possible values
are:
1 - W2003: works
via security token
(only for 2003
server)
2 Preload: preload
exclude group
members (see also
PreloadGroupsRefres
h property)
3 Token: to use
this option the token
in the DB should be
updated consistently
via TMS Backend
Service (cannot be
used with other
values)
4 Default: default
(1 in Windows 2003,
5 in Windows 2000)
5 Flat: check only

the users direct
groups (cannot be
used with other
values)
198
OTP Configuration
Key
Value Type
Description
Default
MaxDelayedDBUpdates
Numeric
To save system
100
resources during times

of peak activity, you
can set the maximum
number of update
entries allowed before
they must be written to
the TMS database
TMS IAS Plug-In Configuration

IAS plug-in, located on the IAS (RADIUS) server, can be configured to
determine the following:
Whether OTP or standard authentication is used
The URL of the eToken Authentication web service
How to handle an authentication request from a user without an OTP

enrolled device
Whether RADIUS returns the password
RADIUS credential attribute number
The time-out when calling OTP Web Services from the IAS plug-in
How to handle OTP web services failure
The configurations are set in the otp_plugin_config.xml file

The configuration settings are added to the <ias_plugin_configuration>
section in the otp_plugin_config.xml file.
199
TMS IAS Plug-In Settings

Key
Value
Description
Type
enable_otp_authentication
Boolean
This parameter
determines whether
OTP authentication
or standard
authentication is
used.
Values:
True Authentication
requests are
validated with OTP
False Authentication
requests are
validated with
standard
authentication
otp_web_service_url
String
URL of eToken
Authentication Web
Service
return_pap_cred
Boolean
Determines if the
RADIUS server
returns the
password as an
attribute of the
RADIUS response
return_pap_cred_attribute_number
Numeric
Specifies the Radius

attribute number of
the returned
password (For
example, 2 is for
ratUserPassword)
200
Default
OTP Configuration
Key
Value
Description
Default
Type
web_service_request_timeout
Time in
Specifies the
seconds
timeout period when

calling the OTP Web
Service from the
IAS Plug-in.
web_service_comm_error_behavior
Enumera
Determines how to
tor
handle an OTP web

service
communication
failure.
Values:
Reject: Reject
authentication
request
Pass: Allow MS IAS
standard
authentication
Fail: Discard the
authentication
request
Configuring IAS for use with MS SQL Server

or OpenLDAP
If you are using MS SQL Server or OpenLDAP as your user store, IAS
must be configured to accept users without validating credentials.
To configure IAS to accept users without validating credentials:
1.
From the Windows Start menu, go to Programs>Administrative

Tools>Internet Authentication Service
The Internet Authentication Service window opens.
201
2. Navigate to Connection Request Processing>Connection Request

Polices.
3. In the right pane, right-click on Use Windows authentication for all users and
select Properties.
The Use Windows authentication for all users Properties window
opens.
202
OTP Configuration
4. Click Edit Profile.
The Edit Profile window opens
203
5. On the Authentication tab, select Accept users without validating

credentials.
6. Click OK till you return to the Internet Authentication Service main
window.
204
OTP Configuration
205
Chapter 15
Exporting TMS Data
TMS Management Center allows the administrator to configure some predefined reports. However, to create custom reports using an external
application TMS data must be exported in a supported format. To do this, the
administrator can use the TMS Export Tool to export TMS data to an MDB
file using SQL server.
This chapter contains the following section:
Exporting TMS Data
207
Exporting TMS Data

To export TMS data:
1. From the Start menu click Run.
The Run dialog box opens.
2. In the Run dialog box enter cmd and click OK.
The C:\WINDOWS\system32\cmd.exe window opens.
3. Enter C:\Documents and Settings\Administrator.ROOT >C:\Program

Files\Aladdin\eToken\Tms2.0\Bin\TmsExport.exe.
4. Enter the string to the Target file and send the data to the MDB file using
the SQL tool.
The data is exported and stored in the MDB file.
208
Chapter 16
eToken Pass
The administrator can add eToken Pass devices to TMS, using the import file
option.
After receiving an eToken Pass, the administrator can enroll the eToken Pass
or the user can enroll the token from the TMS Self Service Center.
Importing the eToken Pass XML File
351H
eToken Pass Enrollment
352H
Enrolling eToken Pass

35H
209
Importing the eToken Pass XML File

WARNING: In releases previous to TMS 2.0 SP2, if you imported the eToken
Pass XML more than once, the eToken Pass devices in TMS would loose
synchronization causing serious dysfunction.
In TMS 2.0 SP2 and higher, the eToken Pass devices that are already in the
system will not be affected by a re-import of the XML file. You may want to
re-import the file to ensure that the complete list of eToken Pass devices has
been successfully entered into TMS.
eToken Pass devices are shipped from the factory with an accompanying XML
file. This file is required to activate the eToken Pass devices in TMS in your
enterprise. It contains specific information about the eToken Pass devices in
your enterprise, and ensures that only devices registered for your enterprise
can be used to gain access to your system.
The eToken Pass XML file can be imported with the TMS Management Center
or through the Windows command line.
Importing the eToken Pass XML File Through the TMS

Management Center
Note: For more details about the TMS Management Center, see TMS 2.0
Reference Guide.
To import the eToken Pass XML file through the TMS Management
Center:
1. To open the TMS Management Center, in your internet browser, enter the
URL of the TMS Management Center (for example:
http://localhost/tmsmanage)
105H
2. In the TMS Management Centre, select Inventory and click eT PASS.

3. The Upload eToken Pass File screen opens.
210
eToken Pass
4. Enter the path to the eToken PASS file

(for example QX_eTpass.XML).
5. Click Upload.
A confirmation message is displayed as follows:
The file was uploaded successfully. Click Run button to import eToken
PASS devices.
6. Click Run.
211
The eToken Pass devices are imported and confirmation message is

displayed.
If the import was not completely successful, a link is displayed as
follows: Click here to see a detailed error description.
7. To see the error message, click on the link Click here to see a detailed
error description.
The Action Log screen opens.
8. Click OK to close the Action Log screen.

9. Click Done.
The eToken Pass file has been uploaded.
212
eToken Pass
Importing the eToken Pass XML File Through the

Command Line
To import the eToken Pass XML file through the command line:
Run the command using the following syntax:
ImportTokens.exe connection <tms.domain.com> -tokens <path to XML
file>
eToken Pass Enrollment

To add eToken Pass devices to TMS the following must be done:
The administrator activates the function in TMS through configuration of the

web.config file.
The eToken Pass is enrolled in the TMS Self Service Center (can be performed by the
end user).
Activating eToken Pass in TMS

To activate the eToken Pass function in TMS, the administrator must set the
SupportETPassEnrollment parameter in the web.config XML file to TRUE.
To activate the eToken Pass in TMS:
1. Go to Start>Programs>Administrative Tools.> Internet Information
Services (IIS) Manager.
Internet Information Services (IIS) Manager opens.
213
2. Navigate to Web Sites>Default Web Sites>TMSService.
3. Right-click on TMSService and select Explore.

4. Right-click on the web.config file, select Open With. and select a text
editor (such as Notebook).
The web.config file opens in the text editor.
214
eToken Pass
5. Set the SupportETPassEnrollment parameter to true, using the

following syntax:
<add key="SupportETPassEnrollment" value="true" />
6. Save the changes to web.config.
A link I want to enroll a new eToken Pass is added to the TMS Self
Service Center. The appearance of this link is also dependent on the
enrollment function being enabled for the user in the TMS Role
Management center.
Enrolling eToken Pass in the TMS Self Service Center

The user can enroll the eToken Pass from the TMS Self Service Center.
Note: For more details about the TMS Self Service Center, see TMS 2.0
Reference Guide.
To Enroll eToken Pass in TMS Self Service Center
1. To open the TMS Self Service Center, in your internet browser, enter the
URL of the TMS Self Service Center (for example:
http://localhost/tmsservice)
106H
215
2. Click I want to enroll a new eToken Pass.

The eToken Pass Self Service Enrollment screen opens.
3. Enter the following fields:
216
eToken Pass
eToken Pass Serial No: enter the serial number as printed on the
eToken Pass cover. It is also displayed when the token button is
pressed continuously for a few seconds.
OTP PIN: if required by the OTP policy, enter the new OTP PIN.
Confirm OTP PIN: Confirm OTP PIN
First OTP value: enter the first OTP value generated by the device
(that is, the value generated after pressing the button the first time).
Second OTP value: enter the second OTP value generated by the
device (that is, the value generated after pressing the button for a
second time).
4. Click Submit.
eToken Pass is enrolled in TMS.
When the user has carried out the enrollment steps, TMS performs the
following actions:
Verifies that the eToken Pass serial number exists in TMS
Verifies that this eToken Pass is currently un-assigned
Synchronizes with the OTP server using the two OTP numbers provided
Enrolling eToken Pass in the TMS Management

Center
To enroll eToken PASS devices:
1. To open the TMS Management Center, in your internet browser, enter the
URL of the TMS Management Center (for example:
http://localhost/tmsmanage)
2. In the TMS Management Center, click the Deployment tab, select the
search criteria to get the user you require and click Go.
The Deployment window opens with the results of the search displayed in
the right pane of the window.
3. Select the required user and click eToken PASS.
217
The Enroll eToken PASS window opens.
4. Enter the eToken PASS serial number and click Run.

Note: The serial number may be printed on the back of your eToken
PASS. If not, to display the eToken PASS serial number, press and hold
the button on the token.
The eToken was enrolled successfully message appears at the bottom of
the window.
5. Click Done to return to the TMS Management Center window.
218
eToken Pass
Locking eToken PASS

eToken PASS will be locked if the wrong password is entered more than the
permitted number of times.
The administrator can lock the eToken PASS using the TMS Management
Center Help Desk. This prevents the user using the tokens One Time
Password (OTP) functionality.
To lock eTokens PASS:
6. In the TMS Management Center, click the Help Desk tab, select the
search criteria for the required user and click Go.
The Help Desk window opens with the results of the search displayed in
7. Select the required eToken PASS and click Lock.
Removing eToken PASS from the TMS

Inventory
eToken PASS devices that are redundant can be removed from the TMS
inventory.
To remove eTokens from TMS:
1. In the TMS Management Center, click the Inventory tab, select the search
criteria for the required user and click Go.
The Inventory window opens with the results of the search displayed in
2. Select the required eToken PASS and click Remove.
The Remove eToken from TMS window opens.
3. Click Run.
The eTokens were removed successfully message appears at the bottom of
the window.
4. Click Done to return to the TMS Management Center window.
219
Chapter 17
Configuring eToken SSO Backup in
TMS
Most SSO profiles are created by the end user after enrollment. The profiles
are saved on the users token, and a backup file can be created. However, if
the token is broken or lost and the backup is not available or is not updated,
the profiles will be lost.
TMS can create backups for all profiles on the users token, which can be
retrieved with the eToken replacement feature in the TMS Self Service Center
or TMS Management Center.
The SSO profiles on the users token are synchronized with the TMS Server
through the TMS Desktop Agent. Every action performed on the users token
is backed-up to TMS.
Prerequisites
354H
Configuring SSO Backup

35H
221
Prerequisites
The following are required:
The TMS Connector for SSO 3.0

Note: For details of the TMS Connector for SSO 3.0, see eToken Single
Sign On 3.0 Administrators Guide.
TMS Desktop Agent installed on the users computer
SSO Backup must be configured in the TPO Editor
Configuring SSO Backup

The SSO Backup feature must be activated and configured in the TPO editor.
To Configure SSO Backup:
2. Select the Organization Unit (OU) to which you want to configure SSO
Backup.
(To assign the configuration to all the users in the domain, select the
domain).
222
Configuring eToken SSO Backup in TMS
3. Right-click the selected container in the navigation pane and select

Properties from the drop-down list.
The Properties window opens
4. Select the Token Policy tab.
223
5. Click Open.
6. Select the required Token Policy Object and click Edit.
224
7. Select Connector Settings in the navigation pane.

The list of installed connectors is displayed in the right pane.
8. Right click eToken Single Sing-On Connector.
The eToken Single Sing-On Connector window opens.
225
9. Select Define this policy setting, select Enable and Click Definitions.
The Connector Policy Object Editor opens.
10. In the right pane, right-click Default Data Sensitivity.
11. Select Define this policy setting.
226
12. Select one of the following:
Low: can restore backed-up profiles to eToken Virtual and to physical
tokens.
Medium: can restore backed up profiles to physical tokens, but not to
eToken Virtual.
High: cannot restore backed-up profiles to physical tokens or to
eToken Virtual (this setting does not allow profile backup).

Note: Low or Medium must be selected to enable the restoration of
backed-up profiles.
13. Click OK.
227
Chapter 18 Glossary
Term
Shadow Domain
Abbreviation Description
Using a different Active
Directory domain to store
TMS data.
RSA 1024bit, 2048bit
Different keys sizes for the

RSA public key algorithm.
Proximity Card
Contacless Smartcard.
Contactless integrated circuit
device.
CardOS 4.2
Card operating system
Logical access
Collection of policies,
control
procedures, organizational
structure and electronic
access control.
Authentication server
A server responsible for

authentication, usually when
talked about OTP tokens.
Root certificate
A root certificate is a selfsigned certificate of a CA

and is part of a public key
infrastructure scheme.
Backend Service
Service running on the TMS

server, responsible for TMS
maintenance operations.
229
Term
A TPO flag used during
Block Policy
Inheritance
flag
policy calculation. If this flag

is on then the calculation
ignores settings in higher
TPOs then the curreny.
Connectors
Application extensions to
TMS allow TMS to handle
different security
applications.
Domain Controller
Each AD domain has at least
(AD)
one computer that serves as

the Domain Controller of
that domain. The domain
controller has many
responsibilities among them
is managing Active Directory
data and handling users
logins. Although Active
Directory data may be
changed from and client
machine, the schema may
be changed only by a single
domain controller at a time.
Intermediate
A subordinate certificate
certificate
issued by the trusted root

specifically to issue endentity server certificates.
The result is a certificate
chain that begins at the
trusted root CA, through the
intermediate, and ending
with the SSL certificate
issued to you.
OR
chained root certificate
230
Glossary
Term
Public key certificate
In cryptography, a public
key certificate (or identity
certificate) is a certificate
that uses a digital signature
to bind together a public key
with identity information
such as the name of a
person or an organization,
their address, and so forth.
The certificate can be used
to verify that a public key
belongs to an individual.
TMS Public Key
Used by the TMS client for

sending data to TMS
TMS Security Keys
Used to encrypt TMS data to

the Active Directory
TPO Disable flag

is on then current TPO is
ignored during the
calculation.
TPO No Override
flag

is on then the calculation will
ignore settings in TPOs
lower then the current one.
231
Term
Active Directory
AD
Active Directory is an
implementation of LDAP
107H
directory services by
108H
Microsoft for use primarily in

109H
Windows environments. The

10H
main purpose of Active

Directory is to provide
central authentication and
authorization services for
Windows based computers.
Active Directory also allows
administrators to assign
policies, deploy software,
and apply critical updates to
an entire organization.
Active Directory stores
information and settings
relating to an organization in
a central, organized,
accessible database. Active
Directory networks can vary
from a small installation with
a few hundred objects, to a
large installation with
millions of objects.
Microsoft Active
ADAM
Is a directory service
Directory Application
running as a user service
Mode
and not as a system
Active Server Pages
ASP
Microsoft technology for

creating web applications.
232
Glossary
Term
Certification
CA
Authority
An authority in a network
that issues and manages
security credentials and
public keys for message
encryption and decryption.
As part of a public key
infrastructure (PKI), a CA
checks with a registration
authority (RA) to verify
information provided by the
requestor of a digital
certificate. If the RA verifies
the requestor's information,
the CA can then issue a
certificate.
Cryptographic API
CAPI
Microsoft API for

cryptography.
Check Point
CP
Software company,
responsible for the VPN1
firewall.
Check Point
CPMI
The programmatic interface
Management
used to contact and manage
Interface
the Check Point firewall.
233
Term
Cryptographic
CSP
Service Provider
In Microsoft Windows, a
1H
Cryptographic Service
Provider (CSP) is a
software library that
implements the
Cryptographic Application
12H
Programming Interface
(CAPI). CSP's implement
encoding and decoding
functions, which computer's
application programs may
use for e.g. strong
authentication of the user or
for secure email.
Domain Controller
DC
On Windows Server
13H
Systems, the domain

controller (DC) is the
server that responds to
14H
security authentication
requests (logging in,
checking permissions, etc.)
within the Windows Server
15H
domain.
Data Encryption
Standard
DES
Standard cryptographic
algorithm developed by the
US National Bureau of
Standards. Now replaced by
AES.
234
Glossary
Term
Domain Name
DNS
On the Internet, the

16H
System
Domain Name System

(DNS) stores and associates
many types of information
with domain names; most
17H
importantly, it translates
domain names (computer
hostnames) to IP addresses.
18H
19H
It also lists mail exchange

120H
servers accepting e-mail for

12H
each domain. In providing a

worldwide keyword-based
12H
redirection service, DNS is

an essential component of
contemporary Internet use.
123H
Federal
FIPS
Federal Information
Information
Processing Standards
Processing
(FIPS) are publicly
Standards
announced standards
124H
developed by the United

125H
States Federal government

for use by all non-military
government agencies and by
government contractors.
Many FIPS standards are
modified versions of
standards used in the wider
community (ANSI, IEEE,
126H
127H
ISO, etc.)
128H
Graphical
identification and
GINA
MS network logon
mechanism
authentication
library.
235
Term
Group Policy Object
GPO
A collection of settings that

define how a system will
behave for a defined group
of users. Is associated with
AD containers.
hash message
HMAC
A keyed-hash message
authentication
authentication code, or
HMAC, is a type of message
code
129H
authentication code (MAC)

calculated using a
cryptographic hash function
130H
in combination with a secret

key. As with any MAC, it
13H
may be used to
simultaneously verify both
the data integrity and the
132H
authenticity of a message.
13H
Any iterative cryptographic

hash function, such as MD5
134H
or SHA-1, may be used in

135H
the calculation of an HMAC;

the resulting MAC algorithm
is termed HMAC-MD5 or
HMAC-SHA-1 accordingly.
The cryptographic strength
of the HMAC depends upon
the cryptographic strength of
the underlying hash
function, on the size and
quality of the key and the
size of the hash output
length in bits.
Lightweight Directory
Access Protocol
LDAP
Network proposal for

querying and modifying
directory services
236
Glossary
Term
Microsoft
MMC
The Microsoft
Management Console
Management Console
(MMC) is a component of
modern Microsoft Windows
136H
operating systems that

137H
provides system
administrators and advanced
users with a flexible
interface through which they
may configure and monitor
the system.
Open Platform for
OPSEC
Security
One Time Password
A check point standard for

managing security.
OTP
An authentication method
based on a password
generator which creates a
different password each time
a password is required.
The purpose of a one-time
password (OTP) is to make
it more difficult to gain
unauthorized access to
restricted resources, like a
computer account.
Traditionally static
138H
passwords can more easily

be accessed by an
unauthorized intruder given
enough attempts and time.
By constantly altering the
password, as is done with a
one-time password, this risk
can be greatly reduced.
237
Term
Organizational Units
OU
The smallest unit within

domains used to subdivide
the various administrative
divisions
PFX
Public Key Cryptography

Standards #12 (PKCS#12)
specifies a portable format
for storing and transporting
user or server private keys,
public keys, and certificates.
It is a binary format, and
these files are also known as
PFX files.
Public Key
PKCS
Set of public key related
Cryptography
standards published by RSA
Standards
Data Security Inc.
Public Key
PKCS#11
Cryptography
Interplatform standard for

cryptographic devices.
Standards #11
Public Key
PKI
Infrastructure
Method for securing web and

network access. Consists of
protocols, services and
standards supporting
associated software.
Radio Frequency
Identification
RFID
The technology that uses

devices attached to objects
that transmit data to an
RFID receiver. Advantages
include data capacity,
read/write capability, and no
line-of-sight requirements.
238
Glossary
Term
RSA
In cryptology, RSA is an
139H
algorithm for public-key

140H
14H
encryption. It was the first

algorithm known to be
suitable for signing as well
142H
as encryption, and one of

143H
the first great advances in

public key cryptography.
RSA is still widely used in
electronic commerce
14H
protocols, and is believed to

be secure given sufficiently
long keys and the use of upto-date implementations.
Runtime
RTE
RTE is a generic term.
Environment
However, earlier versions of

eToken PKI Client were
called eToken RTE.
Security Assertion
SAML
Standard for communication
Markup Language
Software
between federated identities

SDK
Development Kit
Secure Hash
SHA1
The SHA (Secure Hash
Algorithm
Algorithm) hash functions

refer to five FIPS-approved
145H
algorithms for computing a

condensed digital
representation (known as a
message digest) that is, to a
146H
high degree of probability,

unique for a given input data
sequence (the message).
239
Term
Single Socket Layer
SSL
Protocol for managing the

security of a message
transmission over the
Internet. Starts with https.
Single Sign On
SSO
Single sign-on (SSO) is a

specialized form of software
147H
authentication that enables a

user to authenticate once
and gain access to the
resources of multiple
software systems.
eToken Token
TMS
Management System
eToken Token Management

System
OR
eToken TMS
Token policy object
TPO
An object containing the full

set of TMS settings. This
object may be connected to
an OU or a domain.
240
Glossary
Term
Virtual Private
VPN
A virtual private network
Network
(VPN) is a private
communications network
148H
often used by companies or

organizations, to
communicate confidentially
over a public network. VPN
traffic can be carried over a
public networking
infrastructure (e.g. the
Internet) on top of standard
149H
protocols, or over a service

provider's private network
with a defined Service Level
150H
Agreement (SLA) between

the VPN customer and the
VPN service provider. A VPN
can send data (e.g., voice,
data or video, or a
combination of these media)
across secured and
encrypted private channels
between two points.
241
Appendix 1
Installing and Configuring

ADAM
A short explanation is provided here on how to install and configure ADAM in
order to work with TMS. For more information about installing and
configuring ADAM, please refer to Microsoft documentation.
Note: The ADAMretailx86.exe must be obtained from Microsoft.
To install and configure ADAM:

1. Run ADAMretailx86.exe.
The WinZip Self-Extractor dialog box opens.
2. Enter the folder name to which you wish to extract the file, or click
Browse to select a folder.
3. Click Unzip.
The WinZip Self-Extractor prompts a notice that the unzipping process
was completed successfully. Click Close to exit the extractor.
4. Extract the ADAMretailX86Browse to the folder where you.exe file and
run adamsetup.exe.
243
The Active Directory Application Mode Setup Wizard opens.
5. Click Next.
The License Agreement dialog box opens.
6. Read the license agreement, select I accept and click Next.
244
Installing and Configuring ADAM
The Installation Options dialog box opens.
7. Select ADAM and ADAM administration tools and click Next

The Setup Options dialog box opens.
8. Select A unique instance and click Next.
245
The Instance Name dialog box opens.
9. Enter the Instance name or maintain the default value and click
Next.The Ports dialog box opens.
10. Enter the port numbers (we recommend using ports in the range of 102565535) and click Next.
246
The Application Directory Partition dialog box opens.
11. Select Yes, create an application directory partition, and in the

Partition name textbox enter: DC=TMS. Click Next.
The File Locations dialog box opens.
12. Enter a folder to store information associated with ADAM or browse for a
folder. Click Next.
247
The Service Account Selection dialog box opens.
13. Select Network service account and click Next.

Note that by default only the logged on user can use ADAM with TMS, to
allow more users to do so, select the desired user groups.
The ADAM Administrators dialog box opens.
14. Specify the user or group that will have administrative privileges and
click Next.
248
The Importing LDIF Files dialog box opens.
15. Select Import the selected LDIF files. Choose the MsInetOrgPerson.LDF file, and click Add.
16. Click Next.
The Ready to Install dialog box opens.
17. Click Next.
18. Click Finish to exit the Active Directory Application Mode Setup Wizard.
To configure ADAM
1. Run ADAM ADSI edit from the Start menu, under programs\ADAM.
249
The ADAM adsiedit window opens.
2. On the Action menu click Connect to.

The Connection Settings dialog box opens.
3. Enter the settings as detailed below:
250
Connection name Enter any name you please
Server name Enter the server name as defined during the ADAM
installation (usually the local host or local machine name)
Port Enter the Port as defined during the ADAM installation (LDAP
port)
Well-known naming context: Select Configuration from the dropdown list
4. Click OK. In ADAM adsiedit, select the CN=Partition directory. Rightclick DC=TMS and select New Connection to Naming Context.
The DC=TMS container now appears.
The configuration of ADAM is now complete.
251
Appendix 2
User Permissions
The Administrator can configure the users privileges and edit them as
required.
The TMS should allow help desk personnel the option of performing most of
the TMS operations (for example: enroll tokens, delete tokens and so on).
The minimum permissions the help desk user should have in order to perform
basic TMS operations are specified in this appendix.
Different operations require different permissions; the following are the
required permissions to perform the different operations with the TMS.
The Minimum permission required to

administer basic TMS operations
To install TMS:
The user should be a member of the Schema Administrator group and the
Domain Administrator group
To manage TMS:
The user should be a member of the TMS-Administration group, which

will allow the user to perform basic TMS operations, such as adding
tokens to the DB, deleting tokens, etc.
To manage Gina Connector:
The user should have the permission to change other domain users
passwords.
To manage OTP Connector:

The user must have the permission to change the Dial-in of the user account
properties:
1. Open ADSI Edit (Part of Microsoft server 2003 support tools).
2. Select the proper domain, and the user you want to the helpdesk user to
administer via the TMS.
253
User Permissions
The Console 1 window opens.
3. Right click on the user's name, and select properties (in this example the
user's name is Aladdin).
4. Select the Security tab and click Add.
The Aladdin properties dialog box opens.
254
User Permissions
5. Enter the name of the help desk user (in this example the user name is:
Helpdesk) click OK.
The user is added to the list.
6. Click Advanced.
7. Select the help desk user from the list and click Edit.
255
User Permissions
The Advanced Security Settings for Aladdin dialog box opens.
8. Select the properties tab
256
User Permissions
9. Select Allow for the following attributes: Read msNPAllowDialin and Write
msNPAllowDialin
To manage MS-CA Connector:
The user needs to read and enroll permissions for the templates that will be
used (enrollment agent, smartcard logon etc.):
1. Open the CA snap-in. Right click the Certificate Templates and choose
manage.
2. From the certificate list, double click the certificate the TMS should enroll.
3. In the security tab give the help desk user the permissions to Read and
Enroll.
4. In the CA snap-in, right click the CA name, and choose Properties.
5. In the security tab give the help desk user the permission to Issue and
Manage Certificates.
To mange P12 Connector:
Read permissions to the libraries where the pfx files and the password
index files are stored.

To manage Check Point Connector:
No additional permissions are required
To manage SSO Backup Connector:
Write permissions to the SSO backup library
To delegate control of password resets to the Helpdesk group:

1. In the Active Directory Users and Computers snap-in, click the Divisions
OU (or the entire domain).
2. Right-click Divisions and then click Delegate control.
The Delegation of Control wizard opens.
3. Click Next.
4. On the Users or Groups page, click Add, click Advanced, and then click
Find Now.
5. Double-click Helpdesk, and then click OK.
6. Click Next to continue.
257
User Permissions
7. On the Tasks to Delegate page, under Delegate the following common

tasks, click Reset user passwords and force password change at
next logon.
8. Click Next to continue.
9. On the summary page, review the proposed settings, and then click
Finish.
To manage TMS web site:
258
The helpdesk user needs to have read permissions to the TMS web site
directory on the IIS server
Appendix 3
Copyrights and Trademarks

The eToken system and its documentation are copyrighted 1985 to
present, by Aladdin Knowledge Systems Ltd.
All rights reserved.
eToken is a trademark and ALADDIN KNOWLEDGE SYSTEMS LTD is a
registered trademark of Aladdin Knowledge Systems Ltd.
All other trademarks, brands, and product names used in this Manual are
trademarks of their respective owners.
This manual and the information contained herein are confidential and
proprietary to Aladdin Knowledge Systems Ltd. (hereinafter Aladdin). All
intellectual property rights (including, without limitation, copyrights, trade
secrets, trademarks, etc.) evidenced by or embodied in and/or
attached/connected/related to this manual, information contained herein and
the Product, are and shall be owned solely by Aladdin. Aladdin does not
convey to you an interest in or to this manual, information contained herein
and the Product, but only a limited right of use. Any unauthorized use,
disclosure or reproduction is a violation of the licenses and/or Aladdin's
proprietary rights and will be prosecuted to the full extent of the Law.
NOTICE
All attempts have been made to make the information in this document
complete and accurate. Aladdin is not responsible for any direct or indirect
damages or loss of business resulting from inaccuracies or omissions. The
specifications in this document are subject to change without notice.
259
Appendix 4
FCC Compliance
eToken USB has been tested and found to comply with the limits for a Class B
digital device, pursuant to Part 15 of the FCC rules. These limits are designed
to provide reasonable protection against harmful interference in a residential
installation.
This equipment generates uses and can radiate radio frequency energy and, if
not installed and used in accordance with the instructions, may cause harmful
interference to radio communications. However, there is no guarantee that
interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television
reception, which can be determined by turning the equipment off and on, the
user is encouraged to try to correct the interference by one of the following
measures:
a. Reorient or relocate the receiving antenna.
b. Increase the separation between the equipment and receiver.
c. Connect the equipment to an outlet on a circuit different from that to which
the receiver is connected.
d. Consult the dealer or an experienced radio/TV technician.
FCC Warning
Modifications not expressly approved by the manufacturer could void the user
authority to operate the equipment under FCC rules.
All of the above applies also to the eToken USB.
FCC authorities have determined that the rest of the eToken product line does
not contain a Class B Computing Device Peripheral and therefore does not
require FCC regulation.
CE Compliance
The eToken product line complies with the CE EMC Directive and related
standards*.eToken products are marked with the CE logo and an eToken CE
conformity card is included in every shipment or upon demand.
261
*EMC directive 89/336/EEC and related standards EN 55022, EN 50082-1.
UL Certification
The eToken product line successfully completed UL 94 Tests for Flammability
of Plastic Materials for Parts in Devices and Appliances. eToken products
comply with UL 1950 Safety of Information Technology Equipment
regulations.
ISO 9002 Certification

The eToken product line is designed and manufactured by Aladdin
Knowledge Systems, an ISO 9002-certified company. Aladdin's quality
assurance system is approved by the International Organization for
Standardization (ISO), ensuring that Aladdin products and customer service
standards consistently meet specifications in order to provide outstanding
customer satisfaction.
Certificate of Compliance
Upon request, Aladdin Knowledge Systems will supply a Certificate of
Compliance to any software developer who wishes to demonstrate that the
eToken product line conforms to the specifications stated. Software
developers can distribute this certificate to the end user along with their
programs.
262
Index
Organizational Unit
Aladdin Website
Architecture
Authorization Manager
CE Compliance
Certificate of Compliance
Configuring
Backend Service
Connectors
Security Keys
TMS Public Key
TMS service account
TMS Settings
Token Policy
TPO Objects
Contacting Aladdin eToken
Austria
Belgium
France
Germany
Ireland
Italy
Netherlands
Rest of the world
Spain
Switzerland
UK
USA
Copyrights and Trademarks
Defining
Deployment Strategies
Domain
Domain Controller Roles
Microsoft Active Directory Application Mode
Replication
Edit TMS Settings
Editing
TMS
TMS Settings
Export Keys
FCC Compliance
15
II
13, 14
99
259
260
81, 83, 87
105
97
91
96
110
81, 83, 87
109
113
II
II
II
II
II
II
II
II
II
II
II
II
II
257
56, 99
111
13
15
16
16
16
91
81, 91
108
91
92
259
263
FCC Warning
Flags
Block Policy Inheritance
No Override
TPO Disable
Forest
Glossary
Import Keys
Installing
AD Shadow Domain
ADAM Shadow Domain
TMS Client Component
TMS Management Station Component
TMS Server Component
Installing TMS
AD Multi Domain Shadow Environment
AD Single Domain Production Environment
AD Single Domain Shadow Environment
ADAM Multi Domain Shadow Environment
ADAM Single Domain Shadow Environment
ISO 9002 Certification
Microsoft Active Directory
Operations
Overview
Enhanced User Experience
Main Features
New and Enhanced Functionality
New Design
New in TMS
Production Domain
Removing TMS 1.5
Role Store
Roles
Defining
New Roles
Predefined
Schema
Shadow Domain
System Requirements
Client Component
Tasks
264
259
129
129
130
15
227
94
33
18
18
19
35
35
34
241
19
20
19
19
21
20
260
13, 14
38
98
2
4
3
4
3
3, 4
81
17
45
104
98
56, 99
101
99
16
17
5
5
98
Text Conventions
The Microsoft Active Directory Users and Computers Snap-in
TMS Architecture
TMS Assignments
TMS Configuration
Production and Shadow Domains
TMS Settings
Audit
Backend Service
Desktop Agent
Enrollment
eToken
Recovery
TMS System Objects
Token Policy Object
Token Policy Object Editor
TPO Scope
Specifying
Using the Security tab to control TPO scope
TPO Settings
Connectors
Mail
Tree
UL Certification
Understanding TPOs
User Permissions
III
113
173
179
14
98
47
17, 18
17
147
149
150
142
135
145
112
85
86
126
126
130
135
134
15
260
112
251
265

EToken TMS 2.0 SP3 Installation and Configuration Guide 0

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

EToken TMS 2.0 SP3 Installation and Configuration Guide 0

Caricato da

Copyright:

Formati disponibili

Token Management

Installation and Configuration

Token Management System (TMS)

Contacting Aladdin eToken

Austria, Belgium, France, Germany, Italy,

Netherlands, Spain, Switzerland, UK

Rest of the world

eToken TMS 2.0 SP3 Installation and Configuration Guide (this

eToken TMS 2.0 SP3 Reference Guide

eToken TMS 2.0 SP3 Connectors Guide

eToken TMS 2.0 SP3 ReadMe

eToken OTP Authentication 2.0 Administrators Guide

eToken TMS - Entrust Connector 2.0 SP2 Administrators Guide

Token Management System (TMS)

About This Manual

Used to indicate text that you enter, type or execute.

Used to highlight objects in the application.

Identifies potential problems that the user should

Used as a short cut to indicate the path to be

Token Management System (TMS) 2.0

New in TMS 2.0 ................................................................................................................. 3

New in TMS 2.0 SP3.......................................................................................................... 4

Chapter 2 System Requirements ...................................................................................... 7

TMS Server System Requirements ................................................................................... 8

TMS Management Tools System Requirements .............................................................12

TMS Client System Requirements ...................................................................................13

Chapter 3 TMS Deployment Strategies ......................................................................... 15

TMS Architecture Overview .............................................................................................16

Microsoft Active Directory Overview...............................................................................16

TMS Deployment Options................................................................................................19

Shadow Domain Installation .......................................................................................... 20

TMS Installation Steps .....................................................................................................21

Chapter 4 Deployment of TMS with MS SQL Server.................................................. 25

MS SQL Server Views ...................................................................................................... 26

Indexed Fields ................................................................................................................. 29

Chapter 5 Deployment of TMS with OpenLDAP......................................................... 31

Using OpenLADAP as the User Store ............................................................................. 32

XML File Structure.......................................................................................................... 33

Installing the TMS Server Component ........................................................................... 36

Token Management System (TMS) 2.0

Installing the TMS Management Station Component ................................................... 37

Installing the TMS Client Component ............................................................................ 37

Migrating from TMS 1.5 to TMS 2.0 ............................................................................... 40

Removing TMS 1.5........................................................................................................... 47

Migrating OTP Connector ............................................................................................... 48

Upgrading to TMS 2.0 SP3.............................................................................................. 48

Chapter 7 TMS Configuration ....................................................................................... 49

Opening the TMS Configuration Settings Wizard.......................................................... 50

Configuring TMS for Active Directory ............................................................................ 50

Configuring TMS for OpenLDAP .................................................................................... 60

Configuring TMS for MS SQL Server.............................................................................. 77

Chapter 8 Post-Installation Configuration.................................................................... 83

Configuring TMS Policy Settings for Active Directory................................................... 85

Configuring TMS Policy Settings for MS SQL Server and OpenLDAP.......................... 89

Editing TMS Settings....................................................................................................... 93

Chapter 9 Defining Token Policies............................................................................... 113

Understanding TPOs ...................................................................................................... 114

Configuring TPO Objects................................................................................................ 115

Specifying TPO Scope.................................................................................................... 128

TPO Settings .................................................................................................................. 132

Chapter 10 Configuring Enrollment Notification Letters ......................................... 155

Main Steps ..................................................................................................................... 156

Configuring the Enrollment Letter Settings ................................................................. 156

Editing the Enrollment Notification Letter Template.................................................. 156