Administration | Authentication Web
The Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources.
Once you have installed and configured the Gatekeeper, users that are members of the Authentication Admin Group can further configure the solution from the Authentication web: https://login.specopssoft.com/authentication/admin
From the Gatekeepers menu, you can see a list of your Gatekeepers, and their connection status. For redundancy, set up and configure additional Gatekeepers.
Create and install new Gatekeeper
- Login to the Specops Authentication Web.
- Click Gatekeepers.
- Click New.
- Click Download on Default self extracting installation package.
Note: Take note of the activation code displayed on screen as you will be prompted for it during installation.
- Run the installation file.
- Complete the installation steps.
- Go back to the Gatekeepers page on the Specops Authentication Web, and ensure that the Gatekeeper priority is as needed.
From the Cloud Accounts menu, you can:
- View a list of existing Cloud accounts
- Add new Cloud accounts
- Delete Cloud accounts
- Generate an enrollment URL for a new Cloud account
View existing Cloud accounts
You can view a list of existing cloud accounts. You can also view additional details, such as: the account name, mobile phone number, the last time the password was changed, and the enrollment session expiry date if the user has a pending enrollment.
Add a new Cloud account
To add a new Cloud account, you must be signed in with a Cloud account, or an Active Directory user account in the User Admin Group.
- Click Add user.
- In the Account name field, enter the account name (UPN) of the user account. For example: firstname.lastname@example.org
- The Full Cloud account name field is read-only. The full Cloud account name is automatically generated from the account name (UPN) specified in the Account name field.
- Click Save.
Generate an enrollment session URL for a Cloud account
You can generate an enrollment session URL for a Cloud account in the Cloud Accounts menu. An enrollment session URL enables a Cloud account to enroll, so that they can access the Admin pages in Specops Authentication Web. The URL must be copied and sent via email or text message.
Note: An enrollment URL will expire 2 hours after it has been generated. This is a system-wide setting that cannot be altered. If the URL expires before it is used, a new one must be generated.
- Select a Cloud account from the list.
- Click Generate next to the Enroll Session URL field.
- When the URL has been generated, click the Copy to clipboard button, to copy it.
Delete a Cloud account
You can delete a Cloud account in the Cloud accounts menu.
WARNING: If you are a member of the “Admin group”, you will have the ability to delete another Cloud account.
- Select a user from the list.
- Click Delete.
You can find a full list of available identity services under the Identity Services tab. You can enable/disable identity services all of the identity services in this list. You configure some of these identity services and manage their system-wide settings on this page.
- A configurable identity service that is currently disabled.
- A configurable identity service that is currently disabled.
Once you configure an identity service and enable it, your user will be able to enroll and authenticate with it. If you disable it, the identity service will no longer be available.
The following identity services can be configured:
- Duo: Duo security is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Duo mobile app. They must then enter the code to successfully authenticate. To configure Duo, see here.
- EFOS/SITHS: EFOS/SITHS is a smart card-based authentication service, that enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves. To configure EFOS/SITHS, see here.
- Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. This identity service is fully configurable, meaning administrators can decide on the content of the authentication request notification and whether a manager must authenticate before they can approve an authentication request. Each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users. To configure Manager Identification, see here.
- Mobile Code: If users choose to enroll with Mobile Code, they must enter their mobile phone number. They will then receive a one-time four-digit code via an SMS message, which must be entered in order to successfully authenticate. To configure mobile code, see here.
- Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully. To configure Secret Questions, see here.
- Symantec VIP: Symantec VIP is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Symantec VIP mobile app. They must then enter the code to successfully authenticate. To configure Symantec VIP, see here.
There are a number of customization features that give you control over the Specops Authentication end–user interface, including: logos, text, and colors.
You can add a custom logo to the end-user interface, so that it matches your organization’s corporate look and feel.
The following file types are supported:
The file size must be less than one megabyte. If a .png file with transparency is used, it will be rendered as expected, with the header background color showing through the transparent parts.
The customized logo will be rendered with a height of 40 pixels. The dimensions (width to height ratio) of the image will always be kept intact.
If the height of the uploaded image is less than 40 pixels it will be scaled up to a height of 40 pixels when rendered and the width will be increased correspondingly to keep the dimensions. Scaling the image will significantly decrease the quality of the rendered image.
If the height of the uploaded image is greater than 40 pixels, it will be scaled down to a height of 40 pixels and the width will be decreased correspondingly.
Note: Scaling down the image decreases the quality of the rendered image.
For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.
Change the main logo
The main logo (your company logo) will appear in the top-left corner of Specops Authentication Web.
- In the Main logo section, click Browse.
- In the file explorer, select your logo, and click Open.
- Click Upload.
- The logo will appear in the top-left corner of the page.
Note: To revert to the default logo, click Default.
Change the login image
The login image will appear on the login page, where you enter your username to authenticate with Specops Authentication Web.
- In the Login image section, click Browse.
- In the file explorer, select an image, and click Open.
- Click Upload.
- You will see a preview of the image below.
You can customize the color scheme in Specops Authentication Web, so that it matches your company’s corporate look and feel.
- Select a checkbox next to one of the UI elements. For example: select MainBackground to change the background color in Specops Authentication Web.
- Select a color. You can specify a color in two ways:
- Using the color picker
- By entering a hexadecimal color code
Note: The color picker will look different, depending on the browser you are using.
Note: To revert to the default color scheme, click Revert to default colors, or uncheck the Customized checkbox.
You can customize the text displayed in the Specops Authentication Web pages by changing the language and text in messages and notifications.
Change the language
When you are customizing the text, you must to do it for each language your users will use. Select a language you want to customize, by clicking the Language dropdown and selecting a language from the list.
Add custom text
You can customize the text for several notifications and messages in Specops Authentication Web. For example: you can change the message that is displayed when users have completed their enrollment.
- Click on the text element you want to change. For example: Enroll_Completed_Header.
- Click Use custom and enter the text in the Custom text field.
- Click Save.
The Reporting menu contains several helpful reports. Browse through the available tabs to view the reports.
- Statistics: From the Statistics tab you can view completed enrollments, completed authentications, as well as text message activity (such as notifications, or mobile code usage).
- Auditing: From the Auditing tab you can track event changes in uReset. Click Get events for a complete list of events. Alternatively, filter by resource, or date. The results will be displayed, and you can click on each event for more details.
- System Events: From the System Events tab you can view the log operations by uReset. The displayed information, warnings, and errors, are intended for administrators who are responsible for troubleshooting the system. Click Find for a complete list of activities. Alternatively, filter the activities by type, severity, dates, user, event name, and activity id. The results will be displayed. You can click on each event for more details, including troubleshooting information.
- Not enrolled users: From the Not enrolled users tab you can track enrollment progress by generating and exporting reports related to user enrollments.
You can see the status of your uReset subscription, including enabled features and identity services from the Subscription tab. You can also see usage statistics including completed authentication by month, and all time.
From the Account menu, you can add multiple domains to your Specops Authentication organization account, and manage CAPTCHA settings.
To add multiple domains to your uReset organization account.
- Select Account on the Authentication Web.
- Click Edit domains.
- Click Add new domain name.
- Enter the domain name in the additional text field, and click Save.
Manage CAPTCHA settings
Configure the captcha settings to dynamically display a captcha to prevent user name harvesting.
You can refresh the enrollment statistics, found on the Statistics page, by starting a new user count. By default, the nightly user count will be performed at 4:00 AM UTC.
The last count statistics can also be found the page.
From the uReset tab you can configure your policy mode, and see a list of your policies, their configured identity services, as well as their enrollment and authentication requirements.
Configure the uReset policy mode
To specify the authentication rules for users, you will have the following policy mode options:
- Cloud: All users will have the same authentication rules for resetting passwords.
- Group Policy: Users will have different authentication rules as determined by the Group Policy they are affected by. Group Policy Objects can be managed from the Specops Authentication Gatekeeper Admin Tool.
- Both: Group Policy will be processed first, and the Cloud policy will be applied to users not affected by any Group Policy Object with Specops uReset settings.
Configure the uReset policy
To configure the uReset settings for the policy, click Configure next to each policy to set its authentication requirements.
- Move any of the identity services you want to use from the Unselected Identity Services box to the Selected Identity Services
- You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Click here for additional guidance.
- To require the user to use a specific identity service, select the Required
- Configure the required weight (stars) for enrollment.
- Configure the required weight (stars) for authentication.
Note: The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
- To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
- Click Save when you are done.
Notifications can be used to send messages to users and administrators. Notifications are based on system events in Specops Authentication.
- Login to the Specops Authentication Web.
- Select uReset, and select the Notifications tab.
- Select an event from the Event drop-down. The following events are currently available:
- User reset password
- User unlocked account
- Insufficient enrollment found
- Select an action from the Action drop-down. The action you select controls the type of message, and the recipient of the message. The following events are currently available:
- Text message
- Click Next.
- Configure the required settings. Use the Placeholders by clicking them to select the information that will be different for each user.
- Click Save.
You can configure additional settings, including:
- Enabling the Change Password feature to allow users to change their password from Specops Authentication.
- Hiding the Unicode password rule to users during a password change.
User Management (Helpdesk)
From the User Management menu, the helpdesk staff can verify the accounts of users, using any of their enrolled identity services, or by sending a text message, containing a code, to the user’s mobile phone. Once a user has been verified, the helpdesk can set a new password for the user, and require the user the change password at next logon. The User Management menu can also displays user statistics, and information.
Configure multi-factor authentication policy when accessing User Management
For added security, you can configure multi-factor authentication policies for users (typically Helpdesk staff) accessing the User Management pages on the Specops Authentication web.
Searching for a user from the Go to User Management link will open the User Info tab. From the User Information tab, you can view general and policy information about the user. You can browse through the available tabs to view more information about the user, including password info (last password change, password expiration, etc.) and user statistics (full history of system usage for the user, allowing you to identify if the user is using the system appropriately).
Identity verification for users in Active Directory
It is best practice to verify the accounts of users who call the helpdesk. Active Directory users can be verified from the User identification tab by:
- Sending a text message to the user’s mobile phone. The message will contain a code, which the user should repeat to confirm that they have the mobile device associated with the account.
- Requesting identity service verification. Click Request next to the identity service you want the user to identify using. The user can complete the verification from the Specops Password Reset mobile app or from https://www.ureset.com. The user will be required to provide the correct credentials for the requested identity services. When the user has completed the verification, a checkmark will appear next to the identity service.
Note: The identity service verification request will be valid for 10 minutes.
Once a user has verified their identity, you can reset the user’s password from the Reset password tab. It is best practice to enable the must change the password at next logon setting when resetting a user’s password.