Administration | Authentication Web

The Specops Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources.

Once you have installed and configured the Gatekeeper, users that are members of the Specops Authentication Admin Group can further configure the solution from the Specops Authentication web: https://login.specopssoft.com/authentication/admin

Gatekeepers

From the Gatekeepers menu, you can see a list of your Gatekeepers, and their connection status. For redundancy, set up and configure additional Gatekeepers.

Create and install new Gatekeeper

  1. Login to the Specops Authentication Web.
  2. Click Gatekeepers.
  3. Click New.
  4. Click Download on Default self extracting installation package.
    Note: Take note of the activation code displayed on screen as you will be prompted for it during installation.
  5. Run the installation file.
  6. Complete the installation steps.
  7. Go back to the Gatekeepers page on the Specops Authentication web, and ensure that the Gatekeeper priority is as needed.
Cloud accounts

From the Cloud Accounts menu, you can:

  • View a list of existing Cloud accounts
  • Add new Cloud accounts
  • Delete Cloud accounts
  • Generate an enrollment URL for a new Cloud account

View existing Cloud accounts

You can view a list of existing cloud accounts. You can also view additional details, such as: the account name, mobile phone number, the last time the password was changed, and the enrollment session expiry date if the user has a pending enrollment.

Add a new Cloud account

To add a new Cloud account, you must be signed in with a Cloud account, or an Active Directory user account in the User Admin Group.

  1. Click Add user.
  2. In the Account name field, enter the account name (UPN) of the user account. For example: username@domain.com
  3. The Full Cloud account name field is read-only. The full Cloud account name is automatically generated from the account name (UPN) specified in the Account name field.
  4. Click Save.

Generate an enrollment session URL for a Cloud account

You can generate an enrollment session URL for a Cloud account in the Cloud Accounts menu. An enrollment session URL enables a Cloud account to enroll, so that they can access the Admin pages in Specops Authentication Web. The URL must be copied and sent via email or text message.

Note: An enrollment URL will expire 2 hours after it has been generated. This is a system-wide setting that cannot be altered. If the URL expires before it is used, a new one must be generated.

  1. Select a Cloud account from the list.
  2. Click Generate next to the Enroll Session URL field.
  3. When the URL has been generated, click the Copy to clipboard button, to copy it.

Delete a Cloud account

You can delete a Cloud account in the Cloud accounts menu.

WARNING: If you are a member of the “Admin group”, you will have the ability to delete another Cloud account.

  1. Select a user from the list.
  2. Click Delete.
Policies

Specops policies are collectiosn of multi-factor authentication rules for the basic functionality of Specops Authentication. Separate policies can be configured for different Specops Authentication applications, as well as for the administrators for authentication for Authentication Web.

Configuring a policy

To configure a policy, click Configure next to each policy to set its authentication requirements.

  1. Move any of the identity services you want to use from the Unselected Identity Services box to the Selected Identity Services
  2. You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Click here for additional guidance.
  3. To require the user to use a specific identity service, select the Required
  4. Configure the required weight (stars) for enrollment.
  5. Configure the required weight (stars) for authentication.
    Note: The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
  6. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
  7. Click Save when you are done.

Note that policies can also be affected by the settings for Geoblocking, and Trusted Network Locations.

Policy configuration best practices

When configuring policies for multiple Specops applications (uReset, Authentication for O365, and Key Recovery) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.

When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.

For more information on enrollment, please refer to the Best Practices document.

Weak identity services

Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:

  • Security questions
  • Mobile code
  • Personal email

Enrollment security modes

When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.

There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).

Low security
Users are only required to provide their Windows password for identification.

Medium security
Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password.

High security
Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services.

Note: users will be presented with indentity services for (re-)enrollement if the user has been previously enrolled with said service, and it is part of a policy affecting the user. The user’s Windows identity is always part of the (re-)enrollment procedure.

Note:the low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.

Auto-enrolled identity services and security modes

For medium- and high security modes, users who are affected by policies that include auto-enrolled identity services, such as DUO and Okta Verify, will have to authenticate with the auto-enrolled identity service on the enrollment page. This means that users will have to have their enrollment with DUO or Okta Verify in place before they can enroll with Specops Authentication.

Lockout settings

The identity services Mobile code, Email, and Personal email can be configured to be locked out after wrong inputs by the user. To configure these lockout settings, go to the Identity Services menu in Authentication Web, and click on the settings icon next to the identity service in question. The following can be configured:

  • Lockout threshold: determines how many times wrong input can be provided.
  • Lockout duration in minutes: determines how long the identity service will be locked out for.

Trusted Network Locations setting

When this setting is enabled, users can only enroll when authenticating from one of the trusted network locations specified by administrators. For more information, see Trusted Network Locations.

Identity services

You can find a full list of available identity services under the Identity Services tab. You can enable/disable identity services all of the identity services in this list. You configure some of these identity services and  manage their system-wide settings on this page.

If an identity service is configurable, you will see a  next to it. 

If an identity service is disabled, you will see a  next to it.  

If an identity service has been enabled, you will see a  next to it.

Examples:  

  • A configurable identity service that is currently disabled. 

  • A configurable identity service that is currently enabled. 

Once you configure aidentity service and enable it, your user will be able to enroll and authenticate with it. If you disable it, the identity service will no longer be available. 

The following identity services can be configured:  

  • Duo
  • EFOS/SITHS
  • Manager Identification
  • Mobile Code
  • Secret Questions
  • Symantec VIP
  • Okta Verify
  • Email and Personal Email: the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. Email does not require enrollment, since it references the email address in the email attribute in AD (or any other attribute if it is overridden); it can only be used with domains associated with Specops Authentication. Personal Email has to be registered at enrollment by the user and they may use any email address of their choosing.
Customization

There are a number of customization features that give you control over the Specops Authentication enduser interface, including: logos, text, and colors. 

Changing the main logo

The logo at the top left of the page, both in Authentication Web and the Authentication Client, can be changed to match your requirements.

  1. Click Browse and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image.

To revert to the default image, click Default.

Main logo image specifications

The following specifications apply to the main logo image:

  • Supported file types: png, gif, jpg.
  • Maximum file size: one megabyte (1 MB).
  • Transparency in png images will be rendered as expected, with the background color showing through the transparent parts.
  • Image will be rendered with a height of 40 pixels.
    • Aspect ratio of the uploaded file will always be kept intact.
    • Images with a height less than 40 pixels will be scaled up to 40 pixels. The quality of the rendered image will decrease.
    • Images with a height above 40 pixels will be scaled down to 40 pixels. Quality is not necessarily affaected.
    • For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.

Changing the login image

Youcn an also change the image on the login page that is presented to users.

  1. Click Browse and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image. The image will appear at the top left of the page.

To revert to the default image, click Default.

Login image specifications

The specifications for the login image are the same as for the logo (above), except for the size. The login image has a maximum width of 235 pixels. Images less than 235 px wide will be scaled up (which will decrease the quality of the image), and images more than 235 px wide will be scaled down. The aspect ratio of the original image will always be kept in the rendered image.

Changing the colors

Various colors in the interface can be change to match your comapny’s look and feel. The colors that can be changed are:

  • Page background (page’s main content area)
  • Menu background (top and side navigation)
  • Sign-in background (login page)
  • Default button (primary buttons)
  • Secondary button (buttons such as Cancel etc.)
  • Information box background (textboxes with additional information)

To change the color:

  1. Select the checkbox next to the color you want to change.
  2. Select the color you want to use:
    • Click the color-picker icon and select the color you want, then click OK.
    • Enter the HTML color code (hexadecimal color code) in the text field.

To revert to the default color for all elements, click Default.

Changing the texts

Various texts that are presented to the user in messages and notifications can also be changed.

  1. Select the language you want to make changes to in the Language drop-down.
  2. Click the text element you want to change, for example Enroll_Completed_Header.
  3. Select Use custom.
  4. Enter the text you want to use in the Custom text field and click Save. The Customized column in the list will now show a checkmark at the text element you changed, while the Customized value shows the new text.

To revert to the default text, click the text element, and select Use original, then Save. This will delete the custom text. Note that only deleting the custom text will not revert the text element to the default state (instead, the text field will then be blank).

Text labelDescriptionDefault text
Enroll_Completed_HeaderHeader for page shown when users have met the weight requirements, with option to continue or end enrollment process.All done!
Enroll_Completed_MessageInformation text for page shown when users have met the weight requirements, with option to continue or end enrollment process.You have collected enough stars for your enrollment. Feel free to improve you enrollment information by collecting more stars.
Enroll_CompletedCompleted_MessageText on final page of enrollment process.You have completed the enrollment, you can now close this browser and move on with your day.
Enroll_Edit_HelpText on identity services page when users has opted to make changes to an already complete enrollment.Add or change identity services from the lists below. Make sure your star bar is still full after the changes.
Enroll_HelpText on identity services selection page during enrollment.Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Enroll_Index_MessageText displayed when user switches between services to enroll for (e.g. Admin, User Management etc.)You can enroll for multiple services. Select which service to enroll for. You can also make changes to a completed enrollment.
Enroll_Introduction_HeaderHeader on the first page of the enrollment wizard (before entering password)Enrollment Reminder
Enroll_Introduction_MessageText on the first page of the enrollment wizard (before entering password)You are required to enroll for the Password Reset service. Press the button below to start the enrollment wizard.
Error_Mfa_UserHasNoPolicy_MessageError message text displayed when a user who does not have a policy configured tries to sign in.No policy has been configured for you for this service.
Error_Mfa_UserHasNoPolicy_TitleError message title displayed when a user who does not have a policy configured tries to sign in.You cannot enroll for this service
Mfa_Menu_MessageText on identity services selection page during login.Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Mfa_NotEnrolled_EnrollmentMissing_HeaderHeader displayed when a user is not enrolled with uReset and tries to reset their password.Enrollment missing
Mfa_NotEnrolled_IsuReset_Information Text displayed when a user is not enrolled with uReset and tries to reset their password.You cannot reset your password because you have not enrolled for the reset password service.
Password_Complete_MessageText on final page for a password reset or password change.Your password has been changed! If using a Windows computer, it is recommended to sign-out and sign-in again with your new password. Also, don't forget to update to your new password in for example the email app on your phone, if necessary.
Password_CompleteSecureBrowser_MessageText on final page for a password reset or password change that started from the Windows identity password view.Your password has been changed! Don't forget to update to your new password in for example the email app on your phone, if necessary.
Password_Instructions_MessageText displayed above password rules when performing a password change or password reset.
Password_Instructions_Mobile_HeaderClickable text displayed on small devices to expand the password instructions, above the password rules when performing a password change or password reset.Show instructions
SkipCredentialScreening_UserName_LabelText displayed when a user enters their username during sign-in.Username
UserManagement_SearchInformationText displayed on the User Management start page.Use the search box to find users. You can search by account names, email addresses or users' real names.
WindowsIdentity_UserName_LabelText displayed when a user enters their password during sign-in.Username
Windows Identyity id serviceWindows Identity text on the login page.Windows Identity

Setting a fallback language

The fallback language allows administrators to designate secondary customized language strings in case no customized strings exist in the language the end user has set as their interface language. This means that administrators can make sure the correct text is always presented to the user.

  1. In Authentication Web go to Customization > Texts
  2. Click on the language you want to set as the fallback language, and click Set as fallback language.
    Note: if a language has been set as the fallback language, the button will allow you to disable the fallback language, otherwise it will allow you to set it.

The order in which text strings are shown to the user is as follows:

  1. Customized value for the user’s current language.
  2. Customized value for the fallback language (if no customized value exists for the current language).
  3. Default text for the current language (if there are no customized values for either the current language or the fallback language).

This feature can be used to make sure that important custom message are always displayed to users, even when not all available languages have been updated with the same custom message. Example: if you have a custom message for the Enroll Completed message (Enroll_Completed_Message) in French, you can set English as the fallback language and make sure that the Enroll_Complete_Message string in English also has a customized value. If a user has their language set to anthing other than French or English, they will still see the English message, even if there is no customized text for their current language.

Reporting

The Reporting menu contains several helpful reports. Browse through the available tabs to view the reports.

  • Statistics: From the Statistics tab you can view completed enrollments, completed authentications with Specops Authentication, text message activity (such as notifications, or mobile code usage), and completed authentications to O365.
  • Auditing: From the Auditing tab you can track event changes in Specops Authentication. Click Get events for a complete list of events. Alternatively, filter by resource, or date. The results will be displayed, and you can click on each event for more details.
  • System Events: From the System Events tab you can view the log operations by Specops Authentication and O365 components. The displayed information, warnings, and errors, are intended for administrators who are responsible for troubleshooting the system. Click Find for a complete list of activities. Alternatively, filter the activities by type, severity, dates, user, event name, and activity id. The results will be displayed. You can click on each event for more details, including troubleshooting information.
  • Export: From the Export tab you can track enrollment progress by generating and exporting reports related to user enrollments.
Subscription

You can see the status of your Specops Authentication subscription, including enabled features and identity services from the Subscription tab. You can also see usage statistics including completed authentication by month, and all time.

Account

From the Account menu, you can add multiple domains to your Specops Authentication organization account, and manage CAPTCHA settings.

  1. Select Account on the Specops Authentication web.
  2. Click Edit domains.
  3. Click Add new domain name.
  4. Enter the domain name in the additional text field, and click Save.
  5. Select the Office 365 menu item.
  6. Click Enable next to the newly added domain.
  7. You will be redirected to sign in with your O365 administrator account on Azure, and asked grant permission to Specops Authentication.

Manage CAPTCHA settings

Configure the captcha settings to dynamically display a captcha to prevent user name harvesting

User Counting

You can refresh the enrollment statistics, found on the Statistics page, by starting a new user count. By default, the nightly user count will be performed at 4:00 AM UTC.

The last count statistics can also be found the page.

Office 365

From the Office 365 menu, you can configure federation, provisioning and authentication rules. Select the domain you want to use for O365, and click Let’s start.

Prepare the domain > Set up domain

  1. You will be redirected to sign in with your O365 administrator account on Azure, and asked to grant permission to Specops Authentication.
    Note: Your consent provides Specops Authentication with delegated permissions to complete the setup as an administrator. The Specops Authentication App does not have global administrator permissions in your Office 365 tenant. This is required only during setup.
  2. To set up your domain, you will need to copy the TXT verification record from the Specops Authentication web page, to your domain host’s DNS records.
    Note: If you have already verified your domain, you will not be prompted for this step.

User provisioning > Configure

  1. If you are already using Azure AD connect for provisioning, click Skip.
  2. You will be prompted to edit the default O365 User Rules. The User Rules are used to configure provisioning of User Objects from Active Directory to Azure AD.
  3. In O365, the UPN (UserPrincipalName) of the user becomes their username. Some apps may even prompt for an email address, when they actually mean UPN. If the Allow users with non-matching UPN and Email is set to Off, users with values that do not match will not be provisioned, and an error will be displayed during log in.
  4. If required, you can disable the optional user and group attributes.
  5. Click Save when you are done.

Office 365 Licenses > Configure

Specops Authentication can help you manage your O365 licenses. When provisioning is enabled, the license settings allow you to assign O365 subscriptions to users that log in to O365 through Specops Authentication.

  1. For licensing purposes, the Usage Location is a required when creating an Azure user. By default, the msExchUsageLocation attribute in Active Directory is used. If the attribute is missing, it defaults to the country of your Azure organization.
  2. You can further enable/disable specific plans for the selected O365 subscription. For example, if only Skype for Business is enabled, the user will only get the Skype license. If the user had more plans prior to logging in, it will be removed to exactly match your configuration.
  3. Click Save when you are done.

Authentication Rules > Configure

The authentication settings will prompt all affected users to verify their identity with Specops Authentication when logging in to O365.

  1. Move any of the identity services you want to use from the Unselected Identity Services box to the Selected Identity Services box.
  2. You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Click here for additional guidance.
  3. To require the user to use a specific identity service, select the Required checkbox.
  4. Configure the required weight (stars) for enrollment.
  5. Configure the required weight (stars) for authentication.
    Note: The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
  6. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
  7. Click Save when you are done.

Note: Configure an SSO only policy
If using the GPO configuration type, you can create an SSO only policy alongside a multi-factor authentication policy. To configure an SSO only policy, you will select Windows Identity, and no other identity services. You will assign the Windows Identity with 1 star, and set the weight for enrollment and authentication to 1 star.

Turn on federation > Turn it on

Turn on federation so that all affected users will starting signing in through Specops Authentication. If you want to give the users a chance to enroll first, you can return to this step at a later time.  You will see a message that the setup has been completed successfully. Click Continue.

You will see an overview of all your settings.

Provisioning and configurations

  1. Specify whether you want Specops Authentication to use your tagged GPOs, or the scope selected during the Gatekeeper installation. Select either Group Policy, or Cloud (the selected scope) as the Configuration type, and click Configure.
    1. If Group Policy is selected, you will need to configure the User Rules, License, and Authentication, similar to the steps 4, 5, and 6 above.
  2. On the Provisioning setup, click Details… to check the service status. This checks if the Exchange administrator account is set up. It can take up to an hour before the account can be used. If the status reads Running, provisioning should start working.

Note:

  • This page must be refreshed manually.

You can continue with other configurations and check back here later.