Note: if you are using multiple Specops Authentication products (e.g. uReset, Secure Service Desk), the same account and Gatekeepers can be used for all products. You do not need to create a new account for additional Specops Authentication products. The Administration Tools and Gatekeeper do not have to be re-installed either.

The content below is intended for IT administrators and can be used to install and evaluate Specops Authentication. For more information about the components and concepts used below, see the Specops Authentication Overview.

The recommended installation is to download the self-extracting installer package, and complete the steps in the installation wizard.

Alternatively, if your organization uses Windows Server Core (without GUI), you can use the PowerShell script based installation procedure.


Your organization’s environment must meet the following requirements:

  • Gatekeeper server computer:
      • Joined to your Active Directory domain
      • Windows Server 2012 R2 or later (core or with desktop experience)

        Note: if the Primary Domain Controller is running a version of Windows Server prior to version 2008 R2, the Allow admins to enroll feature can take up to one hour to take effect.

      • .NET Framework 4.7.2 or later
  • Gatekeeper admin tool:
      • Joined to your Active Directory domain
      • Windows 8.1 or later (with desktop experience)
      • .NET Framework 4.7.2 or later
  • Administrative privileges: To both Active Directory and the Gatekeeper server computer. It is recommended to run the installation as a domain administrator.
  • Account options: There are two options for the account the Gatekeeper Windows service will “run as”. Prepare to use any of the following:
    • Managed Service Account (recommended): Using a managed service account for the Gatekeeper is easy, without extra actions required for you as an installation administrator. The script will create a managed service account in your Active Directory. If the Gatekeeper server’s sAMAccountName in Active Directory is “SRV17”, the managed service account name will be “SGkSRV17$”.
    • Domain Account: If you prefer to use a domain account, it must be created before running the installation. You will need the account’s sAMAccountName and password on hand.
  • Security groups: The installation script will create security groups used by Specops Authentication. There is no action required by you.
    • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
    • User Admin Group: Users that are members of this group will be able to access the user management features on the Authentication web. The current user will be automatically added to this group.
    • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.

For provisioning to O365:

Delegation root and Active Directory Scope

During the Specops Authentication installation you will be asked to define a delegation root and Active Directory scope.

Delegation root

The delegation root provides an origin for queries in the domain hierarchy. Queries can only be applied downward in the hierarchy, not upward.

Two main things are determined by the delegation root in Specops Authentication:

  • Where the AD settings objects will be saved.
  • The default root for selecting “Active Directory Scopes” (read more on scopes below)

Clean install

When running the installation as a domain admin, a clean install is recommended: the default setting for delegation root, domain root, should be used. When running the installation as a non-domain admin (for instance, in a branch office of a global organization, with admin permissions to only part of Active Directory), use a custom delegation root (see Custom delegation root below). To use this default mode, the admin who is running the SA Admin console needs to be a domain admin. The Settings object location will be the System container in the domain, and all users within the domain will fall within the Active Directory Scope.

Custom delegation root

In cases where, for example, admins only have write permissions on a specific OU, it is possible to use that OU as the delegation root. The suggested location for the Settings object will be the same as the delegation root, and by default users within the OU fall within the Active Directory Scope.

Moving the Settings object

If the default domain root is selected (clean install), the Settings object can be moved to any container in System.
In cases where a custom delegation root has been chosen, the object can be moved anywhere within the selected Delegation root.

Active Directory Scopes

The selected Active Directory scopes determine two things:

  • Which users can be found by SA
  • On which user objects the Gatekeeper has permission to write enrollment data and resetting passwords

It is recommended to set the AD scope to the organizational unit(s) containing the users to be affected by Specops Authentication. Using the root as scope is not recommended since that could affect users that should not be affected. Select the root as scope only if all your AD domain users really need to be affected.

In cases where a custom delegation root is chosen, ticking the box Allow scopes to be selected from other domains will allow scopes to be selected from outside a custom delegation root and also from any other trusted domain in the same forest as the current domain.

Domain trusts

When picking scopes from multiple domains, for all functionality to work as expected there must be a two way trust between the domains. For one-way trusts there can be some unexpected results and this scenario is not supported.

Gatekeeper permissions

When the scopes are applied, the Gatekeeper group is granted permissions to create the enrollment subobjects and resetting passwords (if the uReset feature is enabled) on all accounts within all scopes, including from other domains. Note that the permissions will not be granted for admins or managers outside the scope, even if the option described in the next section is enabled.

Admin outside scopes

The Allow admins and managers to be outside of the selected scope option determines whether or not admins and/or managers can be outside the defined Active Directory scope.

The selected Active Directory scope is the domain root (or delegation root)

In this scenario the option does not need to be checked since all participating users will be within the scopes. This scenario also holds if scopes from other domains have been added as well.

There are admins and/or managers who are not in the selected scopes

When admins and/or managers are outside the selected scope, the option needs to be checked. However, the SA Admin console will not apply the required security permissions to these accounts. This means that while the administrator who is outside the selected scopes will be found by the system and will be allowed to sign in to the system, they will not be able to enroll. The Gatekeeper will get an access denied error.​

Before you begin
  1. Enable modern authentication in O365. This should be done for Exchange Online and Skype for Business Online (if used).
  2. If your O365 implementation is using ADFS or another identity provider, you will need to de-federate the domain you want to federate with Specops Authentication.

Create a customer account 

  1. To create a customer account, click here.
  2. On the Select data center page, identify the data center you want to use and click Go.
    • Note: Specops Authentication is hosted in multiple data centers. There are currently two data centers available: EU (Europe) and NA (North America).
    • WARNING: Ensure that you select the data center you would like your account to be created in. You cannot change data centers after your account has been created.
  3.  In the Your organization’s name field, enter the name of your organization.  
  4. In the Your organization’s domain name field, enter a domain name.  
  5. In the Primary Contact Name field, enter a name. Ideally, this should be the name of the person setting up the account.
  6. In the Primary Contact Email field, enter the email address associated with the primary contact
  7. Click Continue.  
  8. On the Cloud account user page, you must create your first Cloud account. This Cloud account is required in order to perform the rest of the installation.
    • In the Account email address field, enter the email address that you want to associate with this Cloud account. A suffix will be added to the email address, to differentiate this Cloud account from an on-premises account with the same email address/UPN.
    •  The Full Cloud account name field is read-only. The full Cloud account name is automatically generated from the email address/UPN that you have specified in the Account email address field.
  9.  To register your mobile phone with your Cloud account, enter your mobile phone number. When you receive the code on your mobile phone, enter it on the screen to authenticate.
  10. On the Cloud account password page, enter and confirm the password you would like to use for this Cloud account and click OK. This is the password you will sign in with for your Cloud account going forward.
    • Note: The policy for this password cannot be altered.
  11.  You will be signed in to the Admin section of Specops Authentication Web. Here you will be able to create a new Gatekeeper. A Gatekeeper is required to sign in with Active Directory accounts.
  12. Click the Create new Gatekeeper button. On the download page, you will see the self-extracting installation package and activation code. The package contains the installation files for the Gatekeeper and your configuration information.
  13. Click Download next to Default self-extracting installation package.
    • Ensure that you have a server ready for installing the package.
    • Take note of the activation code displayed on the page, as you will be prompted for it during installation.
  14. Copy and run the installation file on your server.

Install the Administration Tools

The Administration Tools are used to install and configure the server component, also known as the Gatekeeper. The installation process should be performed on the same server that will be used to run the Gatekeeper.

  1. In the Specops Authentication Setup launcher, click Install the Admin Tools.
  2. Once the Admin Tools have been installed, click Start Admin Tools.

Install the Gatekeeper

  1. Click Install Gatekeeper.
  2. You will be asked to only proceed if you have the activation code from the Gatekeeper download page on the Specops Authentication web. Click Next.
  3. If you do not have permissions to install Specops Authentication at the domain level, you will be presented with the option to configure the Gatekeeper for an organizational unit where you are an administrator. Limit the delegation root, and settings objects location, and click Next.
  4. Select the Active Directory Scope where permissions should be created, and click Add. Multiple locations can be selected for multiple scopes of management. The Active Directory scope determines which users can use the Specops Authentication Service. If you don’t want administrators, and managers to be within the scope of management but want them to still manage the system or authenticate users, click Allow admins and managers to be outside of the selected scope.
  5. Click Next.
  6. The Gatekeeper will run as a windows service. Select the account context the Gatekeeper service should run as.
    • If Custom Domain Account is selected, enter the account name and password of the user account the Gatekeeper service will run as.
  7. Click Next.
  8. If your organization is using a forward proxy server to route internet traffic externally, you will be prompted to configure the proxy server to allow the Gatekeeper to reach the internet. Otherwise, the installation wizard will skip this step.
  9. The following security groups will be created. You can either keep the default group names, or enter a new name:
    • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
    • User Admin Group: Users that are members of this group will be able to access the user management features on the Specops Authentication web. The current user will be automatically added to this group.
    • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.
  10. Click Next.
  11. Enter the activation code from the Gatekeeper download page on the Specops Authentication web, and click Activate.
  12. You will receive a message that the Gatekeeper has been configured and activated successfully.
  13. Click Finish.
  14. Verify that the Cloud connection status states Connected.

Domain Verification

In order to enable email notifications, you have to verify all the domains associated with this account. Read more about Domain Verification.


Complete the following configurations once you have installed Specops Authentication.

  1. Create a Specops Authentication GPO:
    1. In the Selected GPOs section of the Gatekeeper, tag the GPOs you want to use with Specops Authentication. Affected users can have their authentication, provisioning, and license settings configured from the Specops Authentication web.
    2. Click Tag GPOs, select the Group Policy, and click OK. Alternatively, if you want Specops Authentication to be applied to the scope selected during the Gatekeeper installation, skip this step, and select Cloud in the last step when configuring Specops Authentication with O365.
  2. Enable Windows Integrated Authentication.