Server discovery allows Digipass Authentication for Windows Logon clients to find instances of OneSpan Authentication Server by querying a DNS server.
If your organization is impacted by the General Data Protection Regulation (GDPR), note that for being GDPR-compliant, Digipass Authentication for Windows Logon requires the Verify server SSL certificate box to be checked in the Digipass Authentication for Windows Logon Configuration Center.
For more information about GDPR, refer to the OneSpan Authentication Server Appliance General Data Protection Regulation Compliance Guide.
Server discovery requires the following:
- The Digipass Authentication for Windows Logon client must have server discovery enabled. For more information, refer to the Digipass Authentication for Windows Logon User Guide.
- An SRV record for the OneSpan Authentication Server Appliance instance(s) must exist on the DNS server to be queried (see Registering OneSpan Authentication Server Appliance with DNS servers).
- Digipass Authentication for Windows Logon must be enabled both in the OneSpan Authentication Server license key and the authentication scenario. For more information, refer to the OneSpan Authentication Server Appliance Product Guide, Section "Licensing".
Registering OneSpan Authentication Server Appliance with DNS servers
An SRV record may be created on the DNS server using the DNS registration option in the OneSpan Authentication Server configuration stage (i.e. after installation). For more information, see below.
If OneSpan Authentication Server will be available to client machines in other trusted Active Directory domains, an SRV record must be manually created on the DNS server(s) that service(s) the client domain .
Registering DNS services for server discovery
Registering OneSpan Authentication Server with a DNS server allows Digipass Authentication for Windows Logon clients to discover a local instance of OneSpan Authentication Server.
The following two DNS service registration options are available:
- No authentication type. For the DNS service registration with a DNS server supporting dynamic DNS anonymously, the authentication type needs to be set to None. Use this method if your DNS server(s) do not require authentication or SSL for adding SRV records.
- TSIG as the authentication type. For the DNS service registration with a DNS server supporting dynamic DNS with TSIG authentication, the authentication type needs to be set to TSIG. This service registration method utilizes a shared key file that is shared between OneSpan Authentication Server, the DNS, and the application. Transactions are signed using the shared key file. Use this method if your DNS server(s) are configured to accept TSIG-authenticated changes only.
To register a DNS service without authentication type
- Select the DNS service registration with a DNS server supporting dynamic DNS option.
- Enter the name of the DNS domain.
- Select the priority for connections to the OneSpan Authentication Server, i.e. primary or backup server.
To register a DNS service with TSIG as the authentication type
- Select the DNS service registration with a DNS server supporting dynamic DNS with TSIG authentication option.
- Enter the full path and file name for the shared key file.
- Enter the name of the DNS domain.
- Select the priority for connections to the OneSpan Authentication Server, i.e. primary or backup server.
Figure: Configuration Tool OneSpan Authentication Server discovery without authentication type
Active Directory DNS server does not support dynamic DNS with TSIG authentication. The anonymous option must be used. For more information about configuring this, refer to the Active Directory documentation.
If two or more OneSpan Authentication Server instances are registered with the DNS server and given the same priority, the first available SRV record will be used by the Digipass Authentication for Windows Logon client.