SQL Data

PortalGuard may have up to 3 different SQL tables in its database depending on its configuration.In all cases the Bootstrap configuration must be configured with the appropriate ODBC Datasource, SQL database and proper credentials for access:

1) HDLogging – A write-only table that tracks all actions performed through its Help Desk application.Data is automatically written here if SQL is chosen as the User Data Repository in the bootstrap configuration.

2) RBAEvents – A write-only table that tracks all end-user interactions with the PortalGuard server.Data is automatically written here if Credibility-based Authentication is enabled on the “Log/Audit” tab of the bootstrap configuration.NOTE: Credibility-based authentication does NOT need to also be enabled in the PortalGuard security policies.

3) UserProfile – A read/write table for storing PortalGuard’s user profile data if SQL is chosen as the User Data Repository in the bootstrap configuration.This contains things such as enrolled phone numbers, challenge answer hashes, last login times through PortalGuard, etc.

HDLogging Table

This table is only written to if PortalGuard is configured to store its user profile data in SQL.

Columns

Description

Idx

The primary key for the table. Utilizes an “identity” property which is an auto-incrementing value.

Created

Date/time stamp of the action.

Action

The type of Help Desk action, see “Help Desk Actions” list below.

FldParam

The CLEARFIELD action requires the type of field(s) to remove.See “Help Desk Field Parameters” below.

HDUser

The username of the Help Desk employee who executed the action.

ClientIP

The IP address of the Help Desk employee.

Server

The hostname or IP address of the PortalGuard server that handled the action.

UserIdx

The user index of the target user.A foreign key into the UserProfile table.This value is -1 if the action is performed on all users.

NameUsed

The full name of user as delivered from the HTTP request, e.g.:

FirstnameLastname [username]

PWUsed

Reserved – Not currently used.

Help Desk Actions

Numeric codes are used to represent the actions that can be performed through the PortalGuard Help Desk application.

Code

Description

1

HD_ACTION_UNLOCK

2

HD_ACTION_RESETPW

3

HD_ACTION_EXPIREPW

4

HD_ACTION_CREATEOTP

5

HD_ACTION_CLEARFIELD

6

HD_ACTION_RESETFIELDS

Help Desk Field Parameters

Numeric codes are used to represent the field(s) that should be removed or affected by the CLEARFIELD action.

Code

Description

0

HD_CLRFLD_NULL - Used for all other HD actions besides CLEARFIELD

1

HD_CLRFLD_EXPDATE - Password expiration date

2

HD_CLRFLD_STRIKES - Strikes

3

HD_CLRFLD_ANSWERS - Challenge answers

4

HD_CLRFLD_SS_SKIPS- Self-service enrollment “skipped” count

5

HD_CLRFLD_SS_SUPPRESS - Self-service enrollment “suppression” flag

6

HD_CLRFLD_SS_ENROLL_PHONE - All enrolled phones

7

HD_CLRFLD_SS_ENROLL_EMAIL - Enrolled email address

8

HD_CLRFLD_SS_PHONE_OTP - Any real-time OTP in the user’s profile that had been generated and sent to a phone

9

HD_CLRFLD_SS_EMAIL_OTP - Any real-time OTP in the user’s profile that had been generated and sent to an email address

10

HD_CLRFLD_SESSION - The session ID used in PortalGuard’s Concurrent Session Prevention feature

11

HD_CLRFLD_LINKACCT- Any secondary accounts that are linked for purposes of password synchronization

12

HD_CLRFLD_INACTIVITYLOCK - Does not actually delete any fields.Just sets “last login time” to current time which allows user to login again.

13

HD_CLRFLD_YUBIKEY – Any enrolled YubiKey

RBAEvents Table

This table is only written to if PortalGuard is configured for credibility-based authentication.Please note that the security policies do not actually need to use CBA so “normal” authentication events will still write to this table.

Columns

Description

Idx

The primary key for the table. Utilizes an “identity” property which is an auto-incrementing value.

Created

Date/time stamp of the action.

Uname

The name as entered by the user.

Action

PortalGuard uses the concept of discrete “agents” that perform specific tasks.This value is the agent type code.See “Agent Type Codes” below.

Success

The status of whether the overall action succeeded or failed.

ClientIP

The IP address of the end user.

Server

The hostname or IP address of the PortalGuard server that handled the action.

URL

The URL path which can give an indication of where the user was going.

HadDesktop

A flag indicating if the request was performed from the PortalGuard Desktop client (“1”).Normal browser access to PortalGuard is “0”.

PGSession

PortalGuard creates a session ID cookie to keep track of the user’s activities before they actually login.It can then use this value to correlate a user’s sequence of actions during a specific session.

CredPol

The name of the credibility policy in use during the action.If CBA is not enabled in the security policy that applies to the user, then this column will be blank.

XMLData

An XML blob containing specific data about the request and subsequent response by the PortalGuard server.Major and minor error codes are stored here and can be queried using XPath notation.

XMLData

//record/errors/majerr

Each agent has a corresponding “major” SUCCESS and ERROR code.The major error is only used to determine if the agent succeeded or not.Only one major error can be returned.See “Major Errors” for the list.

XMLData

//record/errors/minerrs

If an action fails, this compound structure will contain one or more minor errors which is where the details of “why” an agent failed are stored.The list of minor errors is below in “Minor Errors”.

Agent Type Codes

Code

Description

1

LOGIN - For username/pw-based logins to the PG website

2

PWCHANGE - User changing their password when they know the current one

3

SETRECOVERINFO – Shortcut code to set challenge answers

4

TERMSOFUSE - Acceptance or rejection of Terms Of Use

9

CHECKLOGINCHALLENGEANSWER - For validating challenge answer when Knowledge-Based Authentication (KBA) is enabled - User enters name, password and a challenge answer to login

10

LOGOUT

11

USEROPTIONS - The initial screen of PG that only prompts for username.This determines required authentication type for the user which controls what to prompt them for next.

12

OTPENROLL - Enrollment of a phone number (or email address) to be used for 2FA logins

13

OTPENTRY - Validation of OTP sent to user for confirmation that enrollment info (phone or email) was correct

15

ADMIN_BATCH_IMPORT - Batch import by an administrator

16

RECOVERY_ENROLL_CHECK - Only used by the PGDesktop, this agent checks if the user must perform any enrollments (e.g. challenge answers, phone, email)

18

SELFSERVICE - All self-service actions including enrollment and use (e.g. unlock, pw reset)

19

ACCTLINK - For linking secondary accounts for purposes of pw synchronization

20

XMLLOGIN - Only for XML-based logins.Currently only used for RADIUS clients and background validation of user credentials performed by the IIS server itself (rather than by PG agents within the PG UI)

100

HD_ACTION - Any of the Help Desk actions

101

USER_SEARCH - Username searches performed through the PG Help Desk

102

DB_ACTION - Only used by the PG Admin Dashboard for displaying reports

109

TTT_CRED_TEST - Only used during PassiveKey enrollment (step 1 of 3), this verifies the user’s credentials before allowing enrollment to continue

110

TTT_ENROLL_CERT - Only used during PassiveKey enrollment (step 2 of 3), this handles the certificate signing request from the client which is required for the PKI portion of PassiveKey

111

TTT_ENROLL_KEY - Only used during PassiveKey enrollment (step 3 of 3), this handles creation of the shared seed that exists on the client and server.The TOTP is generated from this seed and the current time.

200

ACCT_STATUS - Request from an authenticated user to get the details shown on the PG Account Management page

201

ACCT_SETCHAL - Request from an authenticated user to set their challenge answers from the PG Account Management page

202

ACCT_PHONEADD - Request from an authenticated user to add a phone from the PG Account Management page

203

ACCT_PHONECONFIRM - Request from an authenticated user validate the OTP sent to the phone they’re enrolling from the PG Account Management page

204

ACCT_PHONEREMOVE - Request from an authenticated user to remove a phone from the PG Account Management page

205

ACCT_EMAILSET - Request from an authenticated user to set their email address from the PG Account Management page

206

ACCT_EMAILCONFIRM - Request from an authenticated user validate the OTP sent to the email address they’re enrolling from the PG Account Management page

207

ACCT_PRINTOTPS - Request from an authenticated user to print OTPs from the PG Account Management page

208

ACCT_YUBIKEYADD - Request from an authenticated user to enroll a YubiKey from the PG Account Management page

209

ACCT_YUBIKEYREMOVE - Request from an authenticated user to remove a YubiKey from the PG Account Management page

Major Errors

Code

Description

0

PGAPI_RC_NONE

1

PGAPI_RC_LOGIN_FAILED

2

PGAPI_RC_PWCHANGE_SUCCESS

3

PGAPI_RC_PWCHANGE_FAILED

4

PGAPI_RC_PWRECOVERY_SUCCESS

5

PGAPI_RC_PWRECOVERY_FAILED

6

PGAPI_RC_CHECKLOGINANS_SUCCESS

7

PGAPI_RC_CHECKLOGINANS_FAILED

8

PGAPI_RC_CHECKANS_SUCCESS

9

PGAPI_RC_CHECKANS_FAILED

10

PGAPI_RC_AUTHED_GETQS_SUCCESS

11

PGAPI_RC_AUTHED_GETQS_FAILED

12

PGAPI_RC_GETQS_SUCCESS

13

PGAPI_RC_GETQS_FAILED

14

PGAPI_RC_LOGOUT_SUCCESS

15

PGAPI_RC_LOGOUT_FAILED

16

PGAPI_RC_SETANS_SUCCESS

17

PGAPI_RC_SETANS_FAILED

18

PGAPI_RC_TOU_SUCCESS

19

PGAPI_RC_TOU_FAILURE

20

PGAPI_RC_GETOPTS_SUCCESS

21

PGAPI_RC_GETOPTS_FAILURE

22

PGAPI_RC_OTPENROLL_SUCCESS

23

PGAPI_RC_OTPENROLL_FAILURE

24

PGAPI_RC_OTPENTRY_SUCCESS

25

PGAPI_RC_OTPENTRY_FAILURE

26

PGAPI_RC_RECOVERYENROLLCHECK_SUCCESS

27

PGAPI_RC_RECOVERYENROLLCHECK_FAILURE

28

PGAPI_RC_OFFLINERECOVERY_SUCCESS

30

PGAPI_RC_GENERAL_FAILURE

31

PGAPI_RC_PG_UNAVAILABLE

32

PGAPI_RC_CAUGHT_EXCEPTION

51

PGAPI_RC_SELFSERVE_FAILURE

52

PGAPI_RC_SELFSERVE_SUCCESS

53

PGAPI_RC_ACCTLINK_FAILURE

54

PGAPI_RC_ACCTLINK_SUCCESS

55

PGAPI_RC_TTTENROLL_FAILURE

56

PGAPI_RC_TTTENROLL_SUCCESS

For PortalGuard Help Desk or Administrator Dashboard

100

PGAPI_RC_HDREQ_SUCCESS

101

PGAPI_RC_HDREQ_FAILURE

102

PGAPI_RC_USERSEARCH_SUCCESS

103

PGAPI_RC_USERSEARCH_FAILURE

104

PGAPI_RC_DBREQ_SUCCESS

105

PGAPI_RC_DBREQ_FAILURE

For PortalGuard Account Management

200

PGAPI_RC_ACCTSTATUS_SUCCESS

201

PGAPI_RC_ACCTSTATUS_FAILURE

202

PGAPI_RC_ACCTCQA_SUCCESS

203

PGAPI_RC_ACCTCQA_FAILURE

204

PGAPI_RC_ACCTPHONEADD_SUCCESS

205

PGAPI_RC_ACCTPHONEADD_FAILURE

206

PGAPI_RC_ACCTPHONEREMOVE_SUCCESS

207

PGAPI_RC_ACCTPHONEREMOVE_FAILURE

208

PGAPI_RC_ACCTEMAILCHANGE_SUCCESS

209

PGAPI_RC_ACCTEMAILCHANGE_FAILURE

210

PGAPI_RC_ACCTPRINTOTP_SUCCESS

211

PGAPI_RC_ACCTPRINTOTP_FAILURE

212

PGAPI_RC_ACCTYUBIKEYADD_SUCCESS

213

PGAPI_RC_ACCTYUBIKEYADD_FAILURE

214

PGAPI_RC_ACCTYUBIKEYREMOVE_SUCCESS

215

PGAPI_RC_ACCTYUBIKEYREMOVE_FAILURE

Minor Error Codes

Since these are updated frequently, here is the data right from PortalGuard’sAPI.h header file.The “L” after the codes can be ignored.

* Minor error codes */

/* General failures */

#define PGAPI_RC_TRIAL_EXPIRED 1100L

#define PGAPI_RC_AUTH_SERVER_UNAVILABLE 1101L

#define PGAPI_RC_BAD_REQUEST_TYPE 1102L

#define PGAPI_RC_UNLICENSED_FEATURE 1103L

#define PGAPI_RC_BAD_REQUEST_FORMAT 1104L

#define PGAPI_RC_NOT_INITIALIZED 1110L

#define PGAPI_RC_UNKNOWN 1111L

#define PGAPI_RC_INTERNAL_ERROR 1120L

#define PGAPI_RC_DOCUMENT_NOT_SAVED 1121L

#define PGAPI_RC_CONFIG_ERROR 1122L

#define PGAPI_RC_BAD_USER_DATA 1123L

#define PGAPI_RC_LDAP_DSA_UNWILLING_SSL 1132L

#define PGAPI_RC_IDENG_UNKNOWN 1150L

/* Input missing */

#define PGAPI_RC_NO_USERNAME_SUPPLIED 1200L

#define PGAPI_RC_NO_PASSWORD_SUPPLIED 1201L

#define PGAPI_RC_NO_NEWPW_SUPPLIED 1202L

#define PGAPI_RC_BLANK_CHAL_ANSWER 1203L

#define PGAPI_RC_LOGIN_REQUIRES_CHAL 1204L

#define PGAPI_RC_NO_ADMIN_CREDS 1205L

#define PGAPI_RC_REPEATED_ANSWER 1206L

#define PGAPI_RC_ANS_CONTAINS_QWORD 1207L

#define PGAPI_RC_NO_NEWUSER_SUPPLIED 1208L

/* Input bad */

#define PGAPI_RC_BAD_USER 1300L

#define PGAPI_RC_BAD_PASSWORD 1301L

#define PGAPI_RC_GENERIC_BAD_LOGIN 1302L

#define PGAPI_RC_INVALID_NEWUSER 1303L

#define PGAPI_RC_UNUSABLE_NEWUSER 1304L

#define PGAPI_RC_STRIKE 1310L

#define PGAPI_RC_ACCOUNT_STRUCKOUT 1311L

#define PGAPI_RC_ACCOUNT_DISABLED 1312L

#define PGAPI_RC_ACCOUNT_EXPIRED 1313L

#define PGAPI_RC_PWCHANGE_DISABLED 1314L

#define PGAPI_RC_BAD_CHAL_ANSWER 1320L

#define PGAPI_RC_NO_CAPTCHA 1321L

#define PGAPI_RC_BAD_CAPTCHA 1322L

#define PGAPI_RC_NEWPWS_NOT_MATCH 1330L

#define PGAPI_RC_INPUT_ERROR 1340L

/* Account not ready for login */

#define PGAPI_RC_PWEXPIRED 1400L

#define PGAPI_RC_PWEXPINGRACE 1401L

#define PGAPI_RC_CHAL_ANSWERS_NOT_SET 1410L

#define PGAPI_RC_CHAL_RECOVERY_NOT_ENABLED 1411L

#define PGAPI_RC_RECOVERY_BLOB_MISSING 1412L

#define PGAPI_RC_RECOVERY_INVALID 1413L

#define PGAPI_RC_RECOVERY_LOCKED 1414L

#define PGAPI_RC_SELFSERV_NOT_ENABLED 1415L

#define PGAPI_RC_SELFSERV_NOT_ENROLLED 1416L

#define PGAPI_RC_SSAUTH_NOT_AVAILABLE 1417L

#define PGAPI_RC_SELFSERV_NEED_ENROLL 1418L

#define PGAPI_RC_REPOSITORY_NEED_LINK 1419L

#define PGAPI_RC_INACTIVITY_LOCKOUT 1420L

#define PGAPI_RC_NEED_USERNAME_CHANGE 1421L

#define PGAPI_RC_TOO_MANY_SESSIONS 1430L

#define PGAPI_RC_RBA_UNSUPPORTED 1440L

/* Input not sufficient */

#define PGAPI_RC_CHAL_ANSWER_NOT_COMPLEX 1500L

#define PGAPI_RC_PW_TOO_SHORT 1501L

#define PGAPI_RC_PW_TOO_LONG 1502L

#define PGAPI_RC_PW_INSUFF_LCASE 1503L

#define PGAPI_RC_PW_INSUFF_UCASE 1504L

#define PGAPI_RC_PW_INSUFF_NUMERIC 1505L

#define PGAPI_RC_PW_INSUFF_SPECIAL 1506L

#define PGAPI_RC_PW_AD_COMPLEXITY 1507L

#define PGAPI_RC_PW_DICTIONARY_HIT 1508L

#define PGAPI_RC_PW_INSUFF_SCORE 1509L

#define PGAPI_RC_PW_PREVIOUSLY_USED 1510L

#define PGAPI_RC_PW_REGEX_FAILURE 1511L

#define PGAPI_RC_PW_SYNC_FAILURE 1512L

#define PGAPI_RC_PW_TOO_YOUNG 1515L

/* Help Desk return codes */

#define PGAPI_RC_INVALID_REQUEST_FORMAT 1600L

#define PGAPI_RC_INVALID_DISALLOWED_ACTION 1601L

#define PGAPI_RC_INVALID_ACTION 1602L

#define PGAPI_RC_INVALID_USERLIST 1603L

#define PGAPI_RC_MISSING_PARAM 1604L

#define PGAPI_RC_INVALID_CLEARFIELD 1605L

#define PGAPI_RC_VA_DISABLED 1606L

#define PGAPI_RC_MISSING_VA_ANSWERS 1607L

/* OTP, Machine enrollment */

#define PGAPI_RC_OTP_NEED_ENROLLMENT 1700L

#define PGAPI_RC_OTP_ENTER_OTP 1701L

#define PGAPI_RC_OTP_BAD_PHONE 1702L

#define PGAPI_RC_NO_PHONE 1703L

#define PGAPI_RC_OTP_BAD_PROVIDER 1705L

#define PGAPI_RC_EMAIL_BAD_FORMAT 1706L

#define PGAPI_RC_EMAIL_BAD_DOMAIN 1707L

#define PGAPI_RC_OTP_MISSING 1710L

#define PGAPI_RC_OTP_BAD 1711L

#define PGAPI_RC_OTP_STRIKE 1712L

#define PGAPI_RC_OTP_EXPIRED 1713L

#define PGAPI_RC_OTP_NOT_SENT 1714L

#define PGAPI_RC_OTP_RESENT 1720L

#define PGAPI_RC_OTP_RESEND_TOO_SOON 1721L

#define PGAPI_RC_OTP_SMS_UNSUPPORTED 1722L

#define PGAPI_RC_PHONE_DUPLICATE 1723L

#define PGAPI_RC_TOKEN_ENROLL_NOT_AVAILABLE 1724L

#define PGAPI_RC_TOKEN_NAME_NOT_SUPPLIED 1725L

#define PGAPI_RC_TOKEN_DUPLICATE 1726L

#define PGAPI_RC_TOKEN_BAD 1727L

#define PGAPI_RC_TOKEN_NOT_ENROLLED 1728L

#define PGAPI_RC_TOKEN_OTP_REPLAYED 1729L

#define PGAPI_RC_TOKEN_REQ_REPLAYED 1730L

#define PGAPI_RC_SERVICE_MISCONFIGURED 1800L

#define PGAPI_RC_SERVICE_ACCT_ISSUE 1801L

#define PGAPI_RC_SERVICE_DELIVERY_FAILURE 1802L

#define PGAPI_RC_SMS_UNSUPPORTED 1803L

#define PGAPI_RC_VOICE_UNSUPPORTED 1804L

UserProfile Table

This table is only written to if PortalGuard is configured to store its user profile data in SQL.

Columns

Description

UserIdx

The primary key for the table.

Uname

The user’s logon name.

Created

Date/time stamp of when the user record was initially created.

Modified

Date/time stamp of when the user record was last modified.

XMLData

An XML blob containing all user fields/data.This column should never directly be modified as its contents and structure change frequently.