Authentication Web
The Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources.
Once you have installed and configured the Gatekeeper, users that are members of the Authentication Admin Group can further configure the solution from the Authentication Web:
https://login.specopssoft.com/authentication/admin (US datacenter)
https://eu.login.specopssoft.com/authentication/admin (EU datacenter)
Gatekeepers
From the Gatekeepers menu, you can see a list of your Gatekeepers, and their connection status. For redundancy, set up and configure additional Gatekeepers.
Creating and installing a new Gatekeeper
- Login to the Specops Authentication Web.
- Click Gatekeepers.
- Click New.
- 
Click Download on Default self-extracting installation package. Note Take note of the activation code displayed on screen as you will be prompted for it during installation. 
- 
Run the installation file. 
- Complete the installation steps.
- Go back to the Gatekeepers page in Specops Authentication Web, and ensure that the Gatekeeper priority is as needed.
Unregistering Gatekeepers
Clicking on a Gatekeeper in the list will bring you to the details page for that Gatekeeper. Here you can also unregister the Gatekeeper in question. However, it is recommended to unregister any Gatekeepers from the Gatekeeper Admin Tool. For more information on how to unregister Gatekeepers, please refer to the Managing offline Gatekeepers section on the Gatekeeper Admin Tool page.
Cloud Accounts
From the Cloud Accounts menu, you can:
- View a list of existing Cloud accounts
- Add new Cloud accounts
- Delete Cloud accounts
- Generate an enrollment URL for a new Cloud account
Viewing existing Cloud accounts
You can view a list of existing cloud accounts. You can also view additional details, such as: the account name, mobile phone number, the last time the password was changed, and the enrollment session expiry date if the user has a pending enrollment.
Adding a new Cloud account
To add a new Cloud account, you must be signed in with a Cloud account, or an Active Directory user account in the User Admin Group.
- Click Add cloud account.
- In the Cloud account email address field, enter the account name (UPN) of the user account. For example: username@domain.com
- The Full cloud account name (upn) field is read-only. The full Cloud account name is automatically generated from the account name (UPN) specified in the Cloud account email address field.
- Click Save.
Generating an enrollment session URL for a Cloud account
You can generate an enrollment session URL for a Cloud account in the Cloud Accounts menu. An enrollment session URL enables a Cloud account to enroll, so that they can access the Admin pages in Specops Authentication Web. The URL must be copied and sent via email or text message.
Note
An enrollment URL will expire 2 hours after it has been generated. If the URL expires before it is used, a new one must be generated.
Administrators can actively revoke the link before the expiration time ends by clicking the Revoke link at the bottom of the window.
- Select a Cloud account from the list.
- Click Generate next to the Enroll session URL field.
- When the URL has been generated, click the Copy link link, to copy it.
Deleting a Cloud account
You can delete a Cloud account in the Cloud accounts menu.
Warning
If you are a member of the “Admin group”, you will have the ability to delete another Cloud account.
- Select an account from the list.
- Click Delete Account.
- In the confirmation dialog box, click Delete.
Policies
Specops policies are collections of multi-factor authentication rules for the basic functionality of Specops Authentication. Separate policies can be configured for different Specops Authentication applications, as well as for the administrators for authentication for Authentication Web.
Configuring a policy
To configure a policy, click Configure next to each policy to set its authentication requirements.
- Click Configure or Edit Authentication Rules.
- Move any of the identity services you want to use from the Unselected Identity Services box on the right to the Selected Identity Services on the left by clicking the plus-icon next to the identity service.
- You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Please refer to the Identity service weight assignment page for additional guidance.
- To require the user to use a specific identity service, select the Required checkbox.
- Configure the required weight (stars) for enrollment.
- 
Configure the required weight (stars) for authentication. Note The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment. 
- 
To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy. 
- Click Save when you are done.
Note that policies can also be affected by the settings for Geoblocking, and Trusted Network Locations.
Removing an identity service
To remove an identity service from a policy, do the following:
- Click Configure or Edit Authentication Rules.
- Remove any of the identity services from your policy by clicking the minus-icon next to the identity service. The identity service will be moved to the Unselected Identity Services box on the right.
Policy configuration best practices
When configuring policies for multiple Specops applications (uReset, Authentication for O365, and Key Recovery) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.
When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.
For more information on enrollment, please refer to the Best Practices document.
Weak identity services
Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:
- Security questions
- Mobile Code (SMS)
- Personal Email
Enrollment security modes
When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.
There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).
- 
Low security Users are only required to provide their Windows password for identification. 
- 
Medium security Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password. 
- 
High security Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services. 
Note: users will be presented with identity services for (re-)enrollment if the user has been previously enrolled with said service, and it is part of a policy affecting the user. The user’s Windows identity is always part of the (re-)enrollment procedure.
Note: the low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.
Auto-enrolled identity services and security modes
For medium- and high security modes, users who are affected by policies that include auto-enrolled identity services, such as Duo Security and Okta, will have to authenticate with the auto-enrolled identity service on the enrollment page. This means that users will have to have their enrollment with Duo Security or Okta in place before they can enroll with Specops Authentication.
Lockout settings
The identity services Mobile Code (SMS), Email, and Personal Email can be configured to be locked out after wrong inputs by the user. To configure these lockout settings, go to the Identity Services menu in Authentication Web, and click on the settings icon next to the identity service in question. The following can be configured:
- Lockout threshold: determines how many times wrong input can be provided.
- Lockout duration in minutes: determines how long the identity service will be locked out for.
Trusted Network Locations setting
When this setting is enabled, users can only enroll when authenticating from one of the Trusted Network Locations specified by administrators. For more information, see Trusted Network Locations.
Identity Services
You can find a full list of available identity services under the Identity Services tab. You can enable/disable identity services all of the identity services in this list. You configure some of these identity services and manage their system-wide settings on this page.
If an identity service is configurable, you will see a
     next to it.
next to it.
If an identity service is disabled, you will see a
     next to it.
next to it.
If an identity service has been enabled, you will see a
     next to it.
next to it.
Examples:
- 
A configurable identity service that is currently disabled.  
- 
A configurable identity service that is currently disabled.  
Once you configure an identity service and enable it, your user will be able to enroll and authenticate with it. If you disable it, the identity service will no longer be available.

The following identity services can be configured:
- 
Duo Security: Duo Security is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Duo Security mobile app. They must then enter the code to successfully authenticate. Configure Duo Security. 
- 
Email and Personal Email: the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. Email does not require enrollment, since it references the email address in the email attribute in AD (or any other attribute if it is overridden); it can only be used with domains associated with Specops Authentication. Personal Email has to be registered at enrollment by the user and they may use any email address of their choosing. 
- 
Freja: If users choose to enroll with Freja, they need to authenticate in the Freja app on their device. Configure Freja. 
- 
Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. This identity service is fully configurable, meaning administrators can decide on the content of the authentication request notification and whether a manager must authenticate before they can approve an authentication request. Each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users. Configure Manager Identification. 
- 
Entra ID: allows Specops Authentication to integrate with Microsoft Authentication Libraries. Microsoft Authenticator can be used to authenticate with Specops Authentication without using a password. 
- 
Mobile Code (SMS): If users choose to enroll with Mobile Code (SMS), they must enter their mobile phone number. They will then receive a one-time four-digit code via an SMS message, which must be entered in order to successfully authenticate. Configure Mobile Code (SMS). 
- 
Okta: Okta is a two-step verification service. When users authenticate, they will receive a a notification in their Okta mobile app. They must then acknowledge that notification in order to verify their identity. Users can also choose to have an Okta code sent to them in a text message. Configure Okta. 
- 
Passkeys: Users can authenticate with passkeys passkeys they have already set up on their device. Passkeys are digital credentials (authenticators), tied to a user account and a website or application. Some examples of passkeys are Windows Hello, Yubikey, Bitwarden and any authentication app such as Google Authenticator. 
- 
PingID: With PingID, users can authenticate using the PingID mobile app. 
- 
Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully. Configure Secret Questions. 
- 
SITHS eID: SITHS eID is a smart card-based authentication service, that enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves. Configure SITHS eID. 
- 
Specops Fingerprint: Specops Fingerprint enables users to enroll and authenticate using devices with fingerprint scanners, such as smart phones and tablets. Users can press their finger to the fingerprint scanner on their device to instantly identify themselves. Users can also use Face ID to authenticate, if they own an iPhone X and above. In order to use this identity service, users must have the app installed on their mobile device. 
- 
Symantec VIP: Symantec VIP is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Symantec VIP mobile app. They must then enter the code to successfully authenticate. Configure Symantec VIP. 
- 
Yubikey: The Yubikey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function). For more information on Yubikey, refer to the Yubikey page. 
Customization
There are a number of customization features that give you control over the Specops Authentication end–user interface, including: logos, text, and colors.
Changing the main logo
The logo at the top left of the page, both in Authentication Web and the Specops Client, can be changed to match your requirements.
- In the Image tab, click Browse under Main logo and select the image you want to use.
- Click OK.
- Click Upload to place the image.
To revert to the default image, click Default.
Main logo image specifications
The following specifications apply to the main logo image:
- Supported file types: png, gif, jpg.
- Maximum file size: one megabyte (1 MB).
- Transparency in png images will be rendered as expected, with the background color showing through the transparent parts.
- Image will be rendered with a height of 40 pixels.- Aspect ratio of the uploaded file will always be kept intact.
- Images with a height less than 40 pixels will be scaled up to 40 pixels. The quality of the rendered image will decrease.
- Images with a height above 40 pixels will be scaled down to 40 pixels. Quality is not necessarily affected.
- For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.
 
Changing the login image
You can also change the image on the login page that is presented to users.
- In the Image tab, click Browse under Login image and select the image you want to use.
- Click OK.
- Click Upload to place the image. The image will appear at the top left of the page.
To revert to the default image, click Default.
Login image specifications
The specifications for the login image are the same as for the logo (above), except for the size. The login image has a maximum width of 235 pixels. Images less than 235 px wide will be scaled up (which will decrease the quality of the image), and images more than 235 px wide will be scaled down. The aspect ratio of the original image will always be kept in the rendered image.
Changing the colors
Various colors in the interface can be changed to match your company’s look and feel. The colors that can be changed are:
- Page background (page’s main content area)
- Menu background (top and side navigation)
- Sign-in background (login page)
- Default button (primary buttons)
- Secondary button (buttons such as Cancel etc.)
- Information box background (textboxes with additional information)
To change the color:
- In the Style tab, select the checkbox in the Customized column next to the color you want to change.
- Select the color you want to use:- Click the color-picker icon in the Pick color column and select the color you want, then click OK OR
- Enter the HTML color code (hexadecimal color code) in the text field.
 
To revert a particular item to its default color, uncheck the Customized checkbox for that item and click Save.
To revert to the default color for all elements, click Default.
Changing the texts
Various texts that are presented to the user in messages and notifications can also be changed.
- In the Text tab, select the language you want to make changes to by clicking the tab for that language.
- Click the text element you want to change, for example Satisfied, header.
- Select Use custom.
- Enter the text you want to use in the Custom text field and click Save. The Customized column in the list will now show a checkmark at the text element you changed, while the Current value shows the new text.
To revert to the default text, click the text element, and select Use original, then Save. This will delete the custom text. Note that only deleting the custom text will not revert the text element to the default state (instead, the text field will then be blank).
Changing the names of identity services
The names of some identity services can be changed to better reflect the way in which they are used in your organization. The identity service names that can be changed are:
- Email (IdService_PrimaryEmail)
- Manager Identification (IdService_ManagerIdentification)
- Mobile Code (IdService_MobileCode)
- Personal Email (IdService_AlternateEmail)
- Secret Questions (IdService_QAndA)
- Windows Identity (IdService_WindowsIdentity)
Identity service names are changed in the same way as other texts, in the Texts table.
Enrollment
| Text element | Description | Default text | 
|---|---|---|
| Satisfied, header | When a user has enrolled with enough identity services to meet the weight requirements, they are sent to a page telling them so and are given the option to continue or end the enrollment process. This is the header on that page. | All done! | 
| Satisfied, message | When a user has enrolled with enough identity services to meet the weight requirements, they are sent to a page telling them so and are given the option to continue or end the enrollment process. This is the information text on that page. | You have collected enough stars for your enrollment. Feel free to improve your enrollment information by collecting more stars. | 
| Change Registrations, message | This text is displayed on the page where the user selects identity services during the enrollment process. Specifically, this text is used when the user has opted to make changes to an already complete enrollment. | Add or change identity services from the lists below. Make sure your star bar is still full after the changes. | 
| Instructions | This text is displayed on the page where the user selects identity services during the enrollment process. | Use the identity services below to identify yourself until you have collected enough stars to fill the star bar. | 
| Reminder, header | This is the header that will be displayed on the first page of the enrollment wizard, before the user needs to enter their password. | Enrollment Reminder | 
| Reminder, message | This text will be displayed on the first page of the enrollment wizard, before the user needs to enter their password. | You are required to enroll for the Password Reset service. Press the button below to start the enrollment wizard. | 
| Finished, message | This is displayed on the final page of the enrollment process after the user has enrolled with all available identity services or they have selected the "I'm done" option" and not "Collect more stars". | You have completed the enrollment, you can now close this browser and move on with your day. | 
| Already enrolled, header | Already enrolled, header | Enrolled | 
| Already enrolled, message | Already enrolled, message | You are already enrolled! If you want to, you can enroll with additional identity services or make changes to the identity services you are enrolled with. | 
Mfa
| Text element | Description | Default text | 
|---|---|---|
| Select Identity Service, message | This text is displayed on the page where the user selects identity services during the login process. | Use the identity services below to identify yourself until you have collected enough stars to fill the star bar. | 
| Cannot enroll because no policy, header | This title is displayed when a user who does not have a policy configured tries to sign in. | You cannot enroll for this service | 
| Cannot enroll because no policy, message | This message is displayed when a user who does not have a policy configured tries to sign in. | No policy has been configured for you for this service. | 
| Enrollment Missing, header | This header is displayed when a user is not enrolled for uReset and tries to reset their password. | Enrollment missing | 
| Cannot Reset Password, not enrolled with uReset | This text is displayed when a user is not enrolled for uReset and tries to reset their password. | You cannot reset your password because you have not enrolled for the reset password service. | 
| Cannot Sign in from Untrusted IP | This text is displayed to an end user when they are trying to sign in but are disallowed due to not connecting from a trusted network location. | You cannot sign in to the {0} resource because you are not connecting from a Trusted Network Location. | 
Service Desk
| Text element | Description | Default text | 
|---|---|---|
| Search Users | This text is displayed on the {0} start page. | Use the search box to find users. You can search by account names, email addresses or users' real names. | 
| Advanced Verification default text message body | During advanced verification, a Service Desk agent can send a text message to the user containing a verification link. The message's default text is determined by this text message template. It can be changed by the Service Desk agent before sending. | Verify your identity here | 
| Advanced Verification default email subject | During advanced verification, a Service Desk agent can send an email to the user containing a verification link. The email's default text is determined by this email subject template. It can be changed by the Service Desk agent before sending. | Verify your identity | 
| Advanced Verification default email body | During advanced verification, a Service Desk agent can send an email to the user containing a verification link. The email's default text is determined by this email body template. It can be changed by the Service Desk agent before sending. | Use this link to verify your identity | 
| RSA SecurID token verification instructions | Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. | Enter a code from the {0} app. | 
| RSA SecurID code verification instructions | Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. | Enter a code from the {0} app. | 
| Password Reset - User Notification Message Body | Describes the text message body for the user password reset notification. This text should specify the message body details. {password} will be replaced with the new user password - this placeholder is required. {upn} will be replaced with the user upn - this placeholder is not required. {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. | Your new password is: | 
| Password Reset - Manager/Custom Notification Message Body | Describes the message body for the manager/custom password reset notification. This text should specify the message body details. {password} will be replaced with the new user password - this placeholder is required. {upn} will be replaced with the user upn - this placeholder is not required. {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. | The new password for {upn} is: {password} | 
| Password Reset - User Notification Sms Body | Describes the message body for the user password reset notification. {password} will be replaced with the new user password - this placeholder is required. {upn} will be replaced with the user upn - this placeholder is not required. {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. | New password: | 
Password change/reset
| Text element | Description | Default text | 
|---|---|---|
| Password Change - Success, message | This text is displayed when the user is done with a password reset or a password change. | Your password has been changed! If you are using a Windows computer, it is recommended to sign out and sign in again with your new password. Also, don't forget to update to your new password in for example the email app on your phone, if necessary. | 
| Password Change - Success, message for Secure Browser | This text is displayed when the user is done with a password reset or password change that started from the Windows identity password view. | Your password has been changed! Don't forget to update to your new password in for example the email app on your phone, if necessary. | 
| Password Change/Reset - Instructions, message | This text is displayed above the password rules when a user is about to perform a password change or password reset. | |
| Password Change/Reset - Instructions, message on mobile | This text is displayed on small devices where the user clicks to expand the password instructions, above the password rules when a user is about to perform a password change or password reset. | Show instructions | 
| Password selection page - Instructions | This text is displayed on the password start page where the user can select between a password change and a password reset. | Need to change your password? If you know your current password, you can sign in with that in order to change it. If you have forgotten your password, you can use the second option to sign in and then reset your password. | 
| Password selection page - Title | This text is displayed on the password start page. This is the section title. | New password | 
| Password selection page - Change password button | This button is displayed on the password start page. This button initiates a password change when the password is known. | I know my password | 
| Password selection page - Reset password button | This button is displayed on the password start page. This button initiates a password change when the password is not known. | I forgot my password | 
Other
| Text element | Description | Default text | 
|---|---|---|
| Username label on username page | This text is displayed when a user enters their username during sign-in. | Username | 
| Username label on password page | This text is displayed when a user enters their username during sign-in. | Username | 
| RSA SecurID token verification instructions | Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. | Enter a code from the {0} app. | 
| RSA SecurID code verification instructions | Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. | Enter a code from the {0} app. | 
| Unlock selection page - Instructions | This text is displayed on the unlock start page where the user can unlock their account if the password is known. | If you know your current password, but the account is locked out, you can unlock it to be able to sign in. | 
| Unlock selection page - Title | This text is displayed on the unlock start page. This is the section title. | Unlock account | 
Identity Service
| Text element | Description | Default text | 
|---|---|---|
| Display name for Windows Identity | This text will replace the display name for the Windows Identity identity service where the identity service is used. | Windows Identity | 
| Display name for Mobile Code | This text will replace the display name for the Mobile Code identity service where the identity service is used. | Mobile Code | 
| Display name for Email | This text will replace the display name for the Email identity service where the identity service is used. | |
| Display name for PersonalEmail | This text will replace the display name for the Personal Email identity service where the identity service is used. | Personal Email | 
| Display name for Manager Identification | This text will replace the display name for the Manager Identification identity service where the identity service is used. | Manager Identification | 
| Display name for Secret Questions | This text will replace the display name for the Secret Questions identity service where the identity service is used. | Secret Questions | 
First Day Password
| Text element | Description | Default text | 
|---|---|---|
| First Day Password start page title | Title for the First Day Password landing page | Setting a password | 
| First Day Password start page description | Description on the First Day Password landing page | It is time to select your first password. On the next page you will see a list of rules and restrictions for how a password can be constructed. Once you are happy with your password, you will need to repeat it in the second box. | 
| Invalid First Day Password URL message | Information to end user when the link has expired or is invalid | This link for setting your password has expired or is invalid, contact your admin for help. | 
| Not eligible for First Day Password | Error message when a user is not eligible for First Day Password after signing in | You are not currently eligible for the First Day Password process. | 
| First Day Password set initial password information | Optional information displayed to the user on top of the reset page when setting their first password. | |
| First Day Password completed message | This text is displayed when the First Day Password user is done with password setup. | Your Windows password has now been set. | 
Setting a fallback language
The fallback language allows administrators to designate secondary customized language strings in case no customized strings exist in the language the end user has set as their interface language. This means that administrators can make sure the correct text is always presented to the user.
- In Authentication Web go to Customization > Texts
- 
Click on the tab of the language you want to set as the fallback language, and click Set as fallback language. The fallback language will be marked in bold. Note If a language has been set as the fallback language, the button will allow you to disable the fallback language, otherwise it will allow you to set it. 
The order in which text strings are shown to the user is as follows:
- Customized value for the user’s current language.
- Customized value for the fallback language (if no customized value exists for the current language).
- Default text for the current language (if there are no customized values for either the current language or the fallback language).
This feature can be used to make sure that important custom message are always displayed to users, even when not all available languages have been updated with the same custom message. Example: if you have a custom message for the Enroll Completed message (Enroll_Completed_Message) in French, you can set English as the fallback language and make sure that the Enroll_Complete_Message string in English also has a customized value. If a user has their language set to anything other than French or English, they will still see the English message, even if there is no customized text for their current language.
Reporting
The Reporting menu contains several helpful reports. Browse through the available tabs to view the reports.
- Usage: From the Usage tab you can view completed enrollments, completed authentications, as well as text message activity (such as notifications, or Mobile Code (SMS) usage).
- Auditing: From the Auditing tab you can track event changes in uReset. Click Get Events for a complete list of events. Alternatively, filter by resource, or date. The results will be displayed, and you can click on each event for more details.
- System Events: From the System Events tab you can view the log operations performed by uReset. The displayed information, warnings, and errors, are intended for administrators who are responsible for troubleshooting the system. Click Find without any filtering information for a complete list of activities. Alternatively, filter the activities by type, severity, dates, user, event name, and activity id. The results will be displayed. You can click on each event for more details, including troubleshooting information.
- Not Enrolled Users: From the Not Enrolled Users tab you can track enrollment progress by generating and exporting reports related to user enrollments.
Subscriptions
You can see the status of your uReset subscription, including enabled features and identity services from the Subscriptions tab. You can also see usage statistics including completed authentication by month, and all time.
Account
From the Account menu, you can add multiple domains to your Specops Authentication organization account, manage CAPTCHA settings, and manage your custom email settings.
Domains
To add multiple domains to your uReset organization account.
- Select Account in Authentication Web.
- In the Domain names tab, click Add new.
- Enter the domain name in the Domain name field, and click Save.
You can designate domains associated with your account as verified to ensure an extra level of security. You can read more about Domain Verification here.
Domain Name Protection ensures that your Specops Authentication account cannot be accessed automatically using your registered domain name. You can read more about Domain Name Protection here.
Preferred Domain
When you have multiple domains registered, you can designate one of them to be the preferred domain. This will then be the domain shown in all URLs associated with Specops Authentication after the ?domain= parameter (Admin pages, enrollment, etc.).
Setting the preferred domain
- Select Account in Authentication Web
- In the Domain names list, click Edit for the domain you want to set as the preferred domain.
- Select the Set as preferred domain checkbox.
- Click Save
CAPTCHA
In this tab you can configure the settings to dynamically display a CAPTCHA. CAPTCHA is used to prevent scripted username harvesting. This setting will protect the endpoints where a user enters their username. If CAPTCHA is enabled, any suspicious attempts at accessing the endpoints will prompt the user with a CAPTCHA challenge. The Google reCAPTCHA technology is used. It is recommended to enable CAPTCHA.
You can set CAPTCHA to one of the following:
- Disable Captcha: disables CAPTCHA entirely.
- Enabled Captcha for requests from untrusted network locations: when Trusted Network Locations is enabled, this option will enable CAPTCHA only for users connecting from IP addresses outside of your trusted network locations.
- Enable Captcha always: this enables Captcha for all users.
CAPTCHA for ADAL browsers
The ADAL browser is a custom browser from Microsoft that is used to perform a delegated authentication from, for example Microsoft Outlook or Microsoft Word. These browsers are not fully compatible with Google reCAPTHA and the end user may be presented with many CAPTCHA challenges in succession. To prevent users from being presented with multiple CAPTCHA challenges, you can check the the CAPTCHA Enabled in ADAL browsers checkbox.
Email settings
Note
If SMTP settings have been configured in the Gatekeeper Admin Tool to use your own SMTP provider instead of the Specops Default Configuration (which uses third-party providers, such as SendGrid), this section will be disabled. In order to use the Default Configuration and configure the email settings here, log in to the Gatekeeper Admin Tool, go to Email configuration, click Edit, and change the dropdown to Specops Default Configuration. Then click OK twice.
If you would like to have enrollment-, authentication-, and user identity verification emails sent from a custom email address, you can configure this here.
Note
Setting this email address will not change your notification settings (e.g. for Specops uReset notifications).
- Click on the Email settings tab
- Click on the current email to enter the Email settings
- 
Set the Sender Display Name, the Sender Address, and select the domain from the dropdown. Note Only your verified domains and any additional domains you have registered will appear in the dropdown. For more information on email notifications from SA, see this knowledge base article. 
- 
Click Save Note Clicking Reset to System Default will revert the email settings back to the default email address set by Specops (from specopssoft.com). This will delete the current email setting. 
Configuring DKIM Records for email
DomainKeys Identified Mail (DKIM) is an authentication standard used to prevent email spoofing. Specifically, DKIM attempts to prevent the spoofing of a domain that's used to deliver email.
DKIM employs the concept of a domain owner who controls the DNS records for a domain. When sending email with DKIM enabled, the sending server signs the messages with a private key. A domain owner also adds a DKIM record, which is a modified TXT record, to the DNS records on sending domain. This TXT record will contain a public key that's used by receiving mail servers to verify a message's signature.
- Send a request for DKIM to Product Support (you can use this form).
- Product Support generates a DKIM record, which is sent to you.
- Add the DKIM record to your DNS record.
- Once added, Product Support can verify the existence of the record.
Information
The Information tab displays information on account creation date and the date the terms of service were accepted.
Delete Account
Accounts can be deleted by contacting Specops.
User Counting
You can refresh the enrollment statistics, found on the Reporting page, by starting a new user count. By default, the nightly user count will be performed at 4:00 AM UTC.
The last count statistics can also be found on the page.
Configuring user counting time
Here you can configure at what time user counting will run on the Gatekeeper.
- 
Set the time you want user counting to run. Note Time is set in Coordinated Universal Time (UTC). 
- 
Mark the checkbox Send enrollment reminders when the counting is complete in order to send enrollment reminders to users whenever user counting is run. 
- Click Save Settings.
Manually initiate user counting
User counting can be started at any time by clicking the Start Counting button.
Key Recovery
From the Key Recovery menu, you can configure your authentication rules.
Policy
Here you can configure the policy mode, as well as configure the policies associated with Key Recovery.
Configure the Key Recovery policy mode
To specify the authentication rules for users, you will have the following policy mode options:
- Cloud: All users will have the same authentication rules for key recovery.
- Group Policy: Users will have different authentication rules as determined by the Group Policy they are affected by.
- Both: Group Policy will be processed first, and the Cloud policy will be applied to users not affected by any Group Policy Object with Specops Key Recovery settings.
Configure a Key Recovery policy
Click Configure next to each policy to set its authentication requirements.
- Move any of the identity services you want to use from the Unselected Identity Services box to the Selected Identity Services
- You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star.
- To require the user to use a specific identity service, select the Required
- Configure the required weight (stars) for enrollment.
- 
Configure the required weight (stars) for authentication. Note The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment. 
- 
To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy. 
- Click Save when you are done.
Policy configuration best practice
When configuring policies for multiple Specops applications (uReset, Authentication for O365, Key Recovery, Password Minder) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.
When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.
For more information on enrollment, please refer to the Best Practices document.
Weak identity services
Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:
- Security questions
- Mobile Code (SMS)
- Personal Email
Enrollment security modes
When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.
There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).
- 
Low security Users are only required to provide their Windows password for identification. 
- 
Medium security Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password. 
- 
High security Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services. 
Note
The low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.
Settings for Symantec Endpoint Encryption
From the Symantec Endpoint Encryption tab, you can require a challenge key, and enable BitLocker Key Recovery.
Configure a challenge key (Symantec Endpoint Encryption only)
You can add a Challenge Key field to the Symantec Endpoint Encryption Information page, by selecting the Require challenge key checkbox. If this checkbox is selected, all users with devices encrypted by Symantec Endpoint Encryption will be required to enter a challenge key that can be found on their locked computer’s screen, when they are performing a key recovery.
Enabling BitLocker Key Recovery
If your organization uses BitLocker Key Recovery (managed by Symantec Endpoint Encryption) to protect their computers, you can enable BitLocker Key Recovery.
Settings for BitLocker
From the BitLocker tab, you can enable BitLocker Key Recovery.
Testing the connection
You can test and verify if you are successfully connected to the Symantec Help Desk and Symantec Database, and verify that BitLocker is configured. If the connection is successful, you will see the word Success on the right-hand side.
Specops Secure Access
Specops Secure Access brings two-factor authentication to the Windows login screen; it requires users to authenticate with an additional identity service besides their main Windows password when they log in to their computer. This provides an extra layer of security. Secure Access is designed to increase security with minimal impact on users. The authentication process is flexible in that users can choose themselves which additional identity service they wish to use as a second factor.
Currently, the following identity services can be configured with Secure Access:
- Mobile code
- Yubikey
- Specops:ID
- Duo
Configuring a Secure Access policy
Setting up Secure Access consists of configuring a policy that includes those identity services that your users have access to.
- In the Specops Authentication Web left navigation, go to MFA for Windows
- Click on the MFA for Windows tab, then click Configure for the policy.
- Click the plus-icon for those identity services you want to include in the policy.
- Click Save
Configuring an NPS Companion policy
The Microsoft Network Policy Server (NPS) is called through the NPS Companion using RADIUS to enable two-factor authentication for remote access. Here you can configure a policy for those users.
- In the Specops Authentication Web left navigation, go to MFA for Windows
- Click on the NPS Companion tab, then click Configure for the policy.
- Click the plus-icon for those identity services you want to include in the policy.
- Click Save
End-user
In order to provide a backup authentication method (e.g. in cases where online access is unavailable), users need to configure an account registration entry in their authenticator app.
Note
If this is the first time users access Secure Access and they have not yet enrolled with Specops Authentication, they will need to enroll first.
- Click on the Register button.
- A secure browser window will open. Follow the instructions in the browser to enroll with Specops Authentication.
Setting up offline authentication registration (Initial login procedure)
Note
An authenticator app such as Microsoft Authenticator or Google Authenticator is required to set up offline authentication.
- Log in to your computer with your main Windows password and a second factor chosen from the list.
- The Secure Access screen shows a QR-code
- Open your authenticator app and create a new entry.
- Scan the QR-code from within the authenticator app.
- Enter the code generated by the authenticator app.
- Click OK.
Subsequent logins require the user to log in with their main Windows password and a second factor of their choosing.
Offline authentication
In situations where users are unable to connect to the internet, Secure Access can still be used by using the user's authenticator app as a second factor (see above, previous section on initial login).
In cases where the user's computer is offline, they will be presented with the following:
- Log in to your computer with your main Windows password.
- The Secure Access screen will indicate a Server connection error.
- Click the Offline Code button.
- Open your authenticator app and find the MFA account registration entry.
- Enter the code from your authenticator app.
- Click OK.