Authentication Web

The Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources.

Once you have installed and configured the Gatekeeper, users that are members of the Authentication Admin Group can further configure the solution from the Authentication Web :

https://login.specopssoft.com/authentication/admin (US datacenter)

https://eu.login.specopssoft.com/authentication/admin (EU datacenter)

Gatekeepers

From the Gatekeepers menu, you can see a list of your Gatekeepers, and their connection status. For redundancy, set up and configure additional Gatekeepers.

Create and install new Gatekeeper

  1. Login to the Specops Authentication Web .
  2. Click Gatekeepers.
  3. Click New.
  4. Click Download on Default self extracting installation package.
    NOTE
    Take note of the activation code displayed on screen as you will be prompted for it during installation.
  5. Run the installation file.
  6. Complete the installation steps.
  7. Go back to the Gatekeepers page on the Specops Authentication Web, and ensure that the Gatekeeper priority is as needed.

Cloud accounts

From the Cloud Accounts menu, you can:

  • View a list of existing Cloud accounts
  • Add new Cloud accounts
  • Delete Cloud accounts
  • Generate an enrollment URL for a new Cloud account

View existing Cloud accounts

You can view a list of existing cloud accounts. You can also view additional details, such as: the account name, mobile phone number, the last time the password was changed, and the enrollment session expiry date if the user has a pending enrollment.

Add a new Cloud account

To add a new Cloud account, you must be signed in with a Cloud account, or an Active Directory user account in the User Admin Group.

  1. Click Add user.
  2. In the Account name field, enter the account name (UPN) of the user account. For example: username@domain.com
  3. The Full Cloud accountname field is read-only. The full Cloud account name is automatically generated from the account name (UPN) specified in the Account name field.
  4. Click Save.

Generate an enrollment session URL for a Cloud account

You can generate an enrollment session URL for a Cloud account in the Cloud Accounts menu. An enrollment session URL enables a Cloud account to enroll, so that they can access the Admin pages in Specops Authentication Web . The URL must be copied and sent via email or text message.

NOTE
An enrollment URL will expire 2 hours after it has been generated. This is a system-wide setting that cannot be altered. If the URL expires before it is used, a new one must be generated.
  1. Select a Cloud account from the list.
  2. Click Generate next to the Enroll Session URL field.
  3. When the URL has been generated, click the Copy to clipboard button, to copy it.

Delete a Cloud account

You can delete a Cloud account in the Cloud accounts menu.

WARNING
If you are a member of the “Admin group”, you will have the ability to delete another Cloud account.
  1. Select a user from the list.
  2. Click Delete.

Policies

Specops policies are collections of multi-factor authentication rules for the basic functionality of Specops Authentication . Separate policies can be configured for different Specops Authentication applications, as well as for the administrators for authentication for Authentication Web.

Configuring a policy

To configure a policy, click Configure next to each policy to set its authentication requirements.

  1. In Authentication Web, go to Policies.
  2. Click Configure.
  3. Move any of the identity services you want to use from the Unselected Identity Services box on the right to the Selected Identity Services on the left by clicking the plus-icon next to the identity service.
  4. You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Click here for additional guidance.
  5. To require the user to use a specific identity service, select the Required
  6. Configure the required weight (stars) for enrollment.
  7. Configure the required weight (stars) for authentication.
    NOTE
    The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
  8. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
  9. Click Save when you are done.

Note that policies can also be affected by the settings for Geoblocking, and Trusted Network Locations.

Removing an identity service

To remove an identity service from a policy, do the following:

  • In Authentication Web, go to Policies
  • Click Configure
  • Remove any of the identity services from your policy by clicking the minus-icon next to the identity service. The identity service will be moved to the Unselected Identity Services box on the right.

Policy configuration best practices

When configuring policies for multiple Specops applications (uReset, Authentication for O365, and Key Recovery) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.

When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.

For more information on enrollment, please refer to the Best Practices document.

Weak identity services

Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:

  • Security questions
  • Mobile Code (SMS)

Enrollment security modes

When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.

There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).

Low security
Users are only required to provide their Windows password for identification.

Medium security
Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password.

High security
Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services.

Note: users will be presented with indentity services for (re-)enrollement if the user has been previously enrolled with said service, and it is part of a policy affecting the user. The user’s Windows identity is always part of the (re-)enrollment procedure.

Note:the low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.

Auto-enrolled identity services and security modes

For medium- and high security modes, users who are affected by policies that include auto-enrolled identity services, such as Duo Security and Okta, will have to authenticate with the auto-enrolled identity service on the enrollment page. This means that users will have to have their enrollment with Duo Security or Okta in place before they can enroll with Specops Authentication .

Lockout settings

The identity services Mobile Code (SMS), Email, and can be configured to be locked out after wrong inputs by the user. To configure these lockout settings, go to the Identity Services menu in Authentication Web , and click on the settings icon next to the identity service in question. The following can be configured:

  • Lockout threshold: determines how many times wrong input can be provided.
  • Lockout duration in minutes: determines how long the identity service will be locked out for.

Trusted Network Locations setting

When this setting is enabled, users can only enroll when authenticating from one of the Trusted Network Locations specified by administrators. For more information, see Trusted Network Locations.

Identity services

You can find a full list of available identity services under the Identity Services tab. You can enable/disable identity services all of the identity services in this list. You configure some of these identity services and manage their system-wide settings on this page.

If an identity service is configurable, you will see a Identity service cog icon next to it.

If an identity service is disabled, you will see a Identity service cross icon next to it.

If an identity service has been enabled, you will see a Identity service check icon next to it.

Examples:

  • A configurable identity service that is currently disabled.

Alt text for this image

  • A configurable identity service that is currently disabled.

Alt text for this image

Once you configure an identity service and enable it, your user will be able to enroll and authenticate with it. If you disable it, the identity service will no longer be available.

Alt text for this image

The following identity services can be configured:

  • Duo Security: Duo Security is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Duo Security mobile app. They must then enter the code to successfully authenticate. To configure Duo Security, see here.

  • EFOS/SITHS: EFOS/SITHS is a smart card-based authentication service, that enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves. To configure EFOS/SITHS, see here.

  • Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. This identity service is fully configurable, meaning administrators can decide on the content of the authentication request notification and whether a manager must authenticate before they can approve an authentication request. Each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users. To configure Manager Identification, see here.

  • Mobile Code (SMS): If users choose to enroll with Mobile Code (SMS), they must enter their mobile phone number. They will then receive a one-time four-digit code via an SMS message, which must be entered in order to successfully authenticate. To configure Mobile Code (SMS), see here.

  • Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully. To configure Secret Questions, see here.

  • Symantec VIP: Symantec VIP is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Symantec VIP mobile app. They must then enter the code to successfully authenticate. To configure Symantec VIP, see here.
  • Email and : the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. Email does not require enrollment, since it references the email address in the email attribute in AD (or any other attribute if it is overridden); it can only be used with domains associated with Specops Authentication . has to be registered at enrollment by the user and they may use any email address of their choosing.
  • Okta: Okta is a two-step verification service. When users authenticate, they will receive a a notification in their Okta mobile app. They must then acknowledge that notification in order to verify their identity. Users can also choose to have an Okta code sent to them in a text message. To configure Okta, see here.
  • Yubikey: The Yubikey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function). For more information on Yubikey, refer to the Yubikey page.

Customization

There are a number ofcustomization features that give you control over the Specops Authentication end–user interface, including: logos, text, and colors.

The logo at the top left of the page, both in Authentication Web and the Authentication Client , can be changed to match your requirements.

  1. Click Browse and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image.

To revert to the default image, click Default.

Main logo image specifications

The following specifications apply to the main logo image:

  • Supported file types: png, gif, jpg.
  • Maximum file size: one megabyte (1 MB).
  • Transparency in png images will be rendered as expected, with the background color showing through the transparent parts.
  • Image will be rendered with a height of 40 pixels.
    • Aspect ratio of the uploaded file will always be kept intact.
    • Images with a height less than 40 pixels will be scaled up to 40 pixels. The quality of the rendered image will decrease.
    • Images with a height above 40 pixels will be scaled down to 40 pixels. Quality is not necessarily affaected.
    • For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.

Changing the login image

You can also change the image on the login page that is presented to users.

  1. Click Browse and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image. The image will appear at the top left of the page.

To revert to the default image, click Default.

Login image specifications

The specifications for the login image are the same as for the logo (above), except for the size. The login image has a maximum width of 235 pixels. Images less than 235 px wide will be scaled up (which will decrease the quality of the image), and images more than 235 px wide will be scaled down. The aspect ratio of the original image will always be kept in the rendered image.

Changing the colors

Various colors in the interface can be change to match your comapny’s look and feel. The colors that can be changed are:

  • Page background (page’s main content area)
  • Menu background (top and side navigation)
  • Sign-in background (login page)
  • Default button (primary buttons)
  • Secondary button (buttons such as Cancel etc.)
  • Information box background (textboxes with additional information)

To change the color:

  1. Select the checkbox next to the color you want to change.
  2. Select the color you want to use:
    • Click the color-picker icon and select the color you want, then click OK.
    • Enter the HTML color code (hexadecimal color code) in the text field.

To revert to the default color for all elements, click Default.

Changing the texts

Various texts that are presented to the user in messages and notifications can also be changed.

  1. Select the language you want to make changes to in the Language drop-down.
  2. Click the text element you want to change, for example Enroll_Completed_Header.
  3. Select Use custom.
  4. Enter the text you want to use in the Custom text field and click Save. The Customized column in the list will now show a checkmark at the text element you changed, while the Customized value shows the new text.

To revert to the default text, click the text element, and select Use original, then Save. This will delete the custom text. Note that only deleting the custom text will not revert the text element to the default state (instead, the text field will then be blank).

Changing the names of identity services

The names of some identity services can be changed to better reflect the way in which they are used in your organization. The identity service names that can be changed are:

  • Email (IdService_PrimaryEmail)
  • manager Identification (IdService_ManagerIdentification)
  • Mobile Code (IdService_MobileCode)
  • Personal Email (IdService_AlternateEmail)
  • Secret Questions (IdService_QAndA)
  • Windows Identity (IdService_WindowsIdentity)

Identity service names are changed in the same way as other texts, in the Texts table.

Text label Description Default text
Enroll_AlreadyEnrolled_Header Header for the Already enrolled message Enrolled
Enroll_AlreadyEnrolled_Message Message users receive when they have already enrolled. You are already enrolled! If you want to, you can enroll with additional identity services or make changes to the identity services you are enrolled with.
Enroll_Completed_Header Header for page shown when users have met the weight requirements, with option to continue or end enrollment process. All done!
Enroll_Completed_Message Information text for page shown when users have met the weight requirements, with option to continue or end enrollment process. You have collected enough stars for your enrollment. Feel free to improve your enrollment information by collecting more stars.
Enroll_CompletedCompleted_Message Text on final page of enrollment process. You have completed the enrollment, you can now close this browser and move on with your day.
Enroll_Edit_Help Text on identity services page when users has opted to make changes to an already complete enrollment. Add or change identity services from the lists below. Make sure your star bar is still full after the changes.
Enroll_Help Text on identity services selection page during enrollment. Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Enroll_Introduction_Header Header on the first page of the enrollment wizard (before entering password) Enrollment Reminder
Enroll_Introduction_Message Text on the first page of the enrollment wizard (before entering password) You are required to enroll for the Password Reset service. Press the button below to start the enrollment wizard.
IdService_PrimaryEmail Email ID service name Email
IdService_ManagerIdentification Manager Identification ID service name Manager Identification
IdService_MobileCode Mobile Code ID service name Mobile Code
IdService_AlternateEmail Personal Email ID service name Personal Email
IdService_QAndA Secret Questions ID service name Secret Questions
IdService_WindowsIdentity Windows Identity ID service name Windows Identity
Error_Mfa_UserHasNoPolicy_Message Error message text displayed when a user who does not have a policy configured tries to sign in. No policy has been configured for you for this service.
Error_Mfa_UserHasNoPolicy_Title Error message title displayed when a user who does not have a policy configured tries to sign in. You cannot enroll for this service
Mfa_Menu_Message Text on identity services selection page during login. Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Mfa_NotEnrolled_EnrollmentMissing_Header Header displayed when a user is not enrolled with uReset and tries to reset their password. Enrollment missing
Mfa_NotEnrolled_IsuReset_Information Text displayed when a user is not enrolled with uReset and tries to reset their password. You cannot reset your password because you have not enrolled for the reset password service.
Password_Complete_Message Text on final page for a password reset or password change. Your password has been changed! If using a Windows computer, it is recommended to sign-out and sign-in again with your new password. Also, don't forget to update to your new password in for example the email app on your phone, if necessary.
Password_CompleteSecuredBrowser_Message Text on final page for a password reset or password change that started from the Windows identity password view. Your password has been changed! Don't forget to update to your new password in for example the email app on your phone, if necessary.
TextCustomization_MetaInfo_Password_Instructions_Message Text displayed above password rules when performing a password change or password reset. This text is displayed above the password rules when a user is about to perform a password change or password reset.
Password_Instructions_Mobile_Header Clickable text displayed on small devices to expand the password instructions, above the password rules when performing a password change or password reset. Show instructions
Password_Start_Info Text at the top of the change password screen. Need to change your password? If you know your current password, you can sign in with that in order to change it. If you have forgotten your password, you can use the second option to sign in and then reset your password.
SkipCredentialScreening_UserName_Label Text displayed when a user enters their username during sign-in. Username
UserManagement_SearchInformation Text displayed on the User Management start page. Use the search box to find users. You can search by account names, email addresses or users' real names.
WindowsIdentity_UserName_Label Text displayed when a user enters their password during sign-in. Username
IdService_Display_Name_WindowsIdentity Windows Identity text on the login page. Windows Identity

Setting a fallback language

The fallback language allows administrators to designate secondary customized language strings in case no customized strings exist in the language the end user has set as their interface language. This means that administrators can make sure the correct text is always presented to the user.

  1. In Authentication Web go to Customization > Texts
  2. Click on the language you want to set as the fallback language, and click Set as fallback language.
    NOTE
    if a language has been set as the fallback language, the button will allow you to disable the fallback language, otherwise it will allow you to set it.

The order in which text strings are shown to the user is as follows:

  1. Customized value for the user’s current language.
  2. Customized value for the fallback language (if no customized value exists for the current language).
  3. Default text for the current language (if there are no customized values for either the current language or the fallback language).

This feature can be used to make sure that important custom message are always displayed to users, even when not all available languages have been updated with the same custom message. Example: if you have a custom message for the Enroll Completed message (Enroll_Completed_Message) in French, you can set English as the fallback language and make sure that the Enroll_Complete_Message string in English also has a customized value. If a user has their language set to anthing other than French or English, they will still see the English message, even if there is no customized text for their current language.

Reporting

The Reporting menu contains several helpful reports. Browse through the available tabs to view the reports.

  • Statistics: From the Statistics tab you can view completed enrollments, completed authentications, as well as text message activity (such as notifications, or Mobile Code (SMS) usage).
  • Auditing: From the Auditing tab you can track event changes in uReset . Click Get events for a complete list of events. Alternatively, filter by resource, or date. The results will be displayed, and you can click on each event for more details.
  • System Events: From the System Events tab you can view the log operations by uReset . The displayed information, warnings, and errors, are intended for administrators who are responsible for troubleshooting the system. Click Find for a complete list of activities. Alternatively, filter the activities by type, severity, dates, user, event name, and activity id. The results will be displayed. You can click on each event for more details, including troubleshooting information.
  • Not enrolled users: From the Not enrolled users tab you can track enrollment progress by generating and exporting reports related to user enrollments.

Subscription

You can see the status of your uReset subscription, including enabled features and identity services from the Subscription tab. You can also see usage statistics including completed authentication by month, and all time.

Account

From the Account menu, you can add multiple domains to your Specops Authentication organization account, manage CAPTCHA settings, and manage your custom email settings.

Domains

To add multiple domains to your uReset organization account.

  1. Select Account in Authentication Web .
  2. In the Domain names tab, click Add new.
  3. Enter the domain name in the Domain name field, and click Save.

You can designate domains associated with your account as verified to ensure an extra level of security. You can read more about Domain Verification here.

Domain Name Protection ensures that your Specops Authentication account cannot be accessed automatically using your registered domain name. You can read more about Domain Name Protection here.

Preferred Domain

When you have multiple domains registered, you can designate one of them to be the preferred domain. This will then be the domain shown in all URLs associated with Specops Authentication after the ?domain= parameter (Admin pages, enrollment, etc.).

Setting the preferred domain
  1. Select Account in Authentication Web
  2. In the Domain names list, click Edit for the domain you want to set as the preferred domain.
  3. Select the Set as preferred domain checkbox.
  4. Click Save

Manage CAPTCHA settings

Configure the captcha settings to dynamically display a captcha to prevent user name harvesting.

Email settings

NOTE
If SMTP settings have been configured in the Gatekeeper Admin Tool to use your own SMTP provider instead of the Specops Default Configuration (which uses third-party providers, such as SendGrid), this section will be disabled. In order to use the Default Configuration and configure the email settings here, log in to the Gatekeeper Admin Tool, go to Email configuration, click Edit, and change the dropdown to Specops Default Configuration. Then click OK twice.

If you would like to have enrollment-, authentication-, and user identity verification emails sent from a custom email address, you can set that here.

NOTE
Setting this email address will not change your notification settings (e.g. for Specops uReset notifications).
  1. Click on the Email settings tab
  2. Click on the current email to enter the Email settings
  3. Set the Sender Display Name, the Sender Address, and select the domain from the dropdown.
    NOTE
    Only your verified domains and any additional domains you have registered will appear in the dropdown. For more information on email notifications from SA, see this knowledge base article.
  4. Click Save
    5. NOTE
    Clicking Reset to Default will revert the email settings back to the default email address set by Specops (from specopssoft.com).

Configuring DKIM Records for email

DomainKeys Identified Mail (DKIM) is an authentication standard used to prevent email spoofing. Specifically, DKIM attempts to prevent the spoofing of a domain that's used to deliver email.

DKIM employs the concept of a domain owner who controls the DNS records for a domain. When sending email with DKIM enabled, the sending server signs the messages with a private key. A domain owner also adds a DKIM record, which is a modified TXT record, to the DNS records on sending domain. This TXT record will contain a public key that's used by receiving mail servers to verify a message's signature.

  1. Send a request for DKIM to Product Support (you can use this form).
  2. Product Support has a DKIM record generated, which is sent to you.
  3. Add the DKIM record to your DNS record.
  4. Once added, Product Support can verify the existence of the record.

User Counting

You can refresh the enrollment statistics, found on the Statistics page, by starting a new user count. By default, the nightly user count will be performed at 4:00 AM UTC.

The last count statistics can also be found on the page.

Secure Service Desk

The Secure Service Desk provides all the tools necessary for your service desk agents to help users calling in with authentication problems. Agents can help users reset their passwords or unlock their computers (if encrypted with Bitlocker or Symantec) in a secure and easy to use environment. The Service Desk also holds user information and statistics.

Note on phone numbers in Active Directory

Important: in order for text messaging to function correctly in the Service Desk, the mobile phone number registered in Active Directory has to follow the E.164 numbering plan format. This means that mobile phone numbers have to have the following format: +[country_code][subscriber_number_omitting_first_zero]. For example, for the Swedish (country code 46) phone number 073-3123456, the number in AD should be +46733123456; for the US (country code 1) phone number 415 555 2671, the format in AD should be +14155552671.

Note that registering phone numbers in Active Directory using any other format will result in the service desk agent being unable to send text messages to the user in question.

Configuring a policy for access to the Secure Service Desk

For added security, you can configure multi-factor authentication policies for users (typically service desk agents) accessing the service desk.

  1. Click on Service Desk in the left navigation.
  2. Click on the Configure button to configure the policy.
  3. Configure the policy, then click Save.

Configuring settings for Secure Service Desk

On the Settings page you can configure the following:

  • Identity verification
  • verification override URL
  • Password reset options
  • User privacy options
  • Key recovery options
  • Enrollment options

Identity verification

If this setting is enabled, the user’s password cannot be reset, nor can their computer be unlocked by the service desk, until the users identity has been verified by having them authenticate with any of the identity services they have previously enrolled with.

  1. Click on Service Desk in the left navigation.
  2. Click on the Settings button to configure the settings.
  3. Check the Enforce identity verification checkbox, and click Save.

Verification override URL

Here you can enter a verification override URL which will be shown to a Service Desk agent when the verification URL can't be sent to the user directly. The service desk agent can then read the URL to the user. For more information on this feature and its set-up, see the Override URL page.

Password reset options

The following options can be enabled in the password reset settings:

  • Force users to change password after reset
    If this option is enabled, Service Desk agents cannot input passwords manually for resets. The new password will be sent to the user in an email or text message.
  • Allow manual password override (to override system-generated passwords if the System-generated passwords option has been enabled)
  • Allow only system-generated passwords (to enable the generation of passwords by the system; the Service Desk agent will not be able to read the generated password)
  • Notifications (see the Enabling additional notification methods section below)
Enabling additional notification methods

This section allows for configuring the notification possibilities for the service desk agent. In addition to the user's email and mobile phone, several additional notification methods can be enabled. This is especially helpful if the user's email and mobile number have not been configured in Active Directory. The following settings can be enabled:

  • Enable sending new passwords through email or text message: when this option is checked, the email and text notification methods are available to the service desk agent (provided that the attributes for the user are configured correctly in Active Directory)
  • Send to custom email: allows sending notification emails to email addresses other than those registered in Active Directory.
  • Send to manager: allows sending notifications to the user's manager (email and text message, if correctly configured in Active Directory)

  1. Select Service Desk in the left navigation.
  2. Click the Settings tab.
  3. Expand Password reset options options.
  4. Check Enable sending new passwords to managers to enable sending to a manager.
  5. Check Enable sending new passwords to custom email addresses to enable sending to custom emails.
    This option is not available if the System-generated passwords option has been enabled. This is a security precaution to avoid having the Service Desk agent be able to read the generated password.
  6. Click Save

User privacy options

These options can be used to restrict service desk agents' access to certain user information. The following options are available:

  • Part of number: enables showing, hiding or only showing part of the user's phone number for the service desk agent.
  • Show/Hide (email): enables showing or hiding the user's email address for the service desk agent.
Hiding a user's phone number and/or email address
  1. Select Service Desk in the left navigation.
  2. Click the Settings tab.
  3. Expand User privacy options options.
  4. Set the first drop-down to Hide to hide the user's phone number from the service desk agent's view.
  5. Set the second drop-down to Hide to hide the user's email from the service desk agent's view.
  6. Click Save

Key recovery options

This section allows you to configure additional notifications for key recovery operations:

  • Enable sending the Recovery Key to managers: allows sending the Recovery Key to the user's manager if configured correctly in Active Directory.
  • Enable sending the Recovery Key to custom email addresses: allows sending the REcovery Key to emails other than those associated with the user in Active Directory. The custom emails are required to be in the registered domains.

Enrollment options

Here you can configure whether or not service desk agents can enroll users for certain identity services without user inytervention. This feature can only be used when the user has been verified. For more information on this feature, please see the Enrollment section.

Secure Service Desk admin menu

The top menu for the Secure Service Desk consists of the following items:

  • Admin: gives information on the account you are signed in with, and what privileges that account holds.
  • Service Desk: the interface for performing service desk actions (for the agent; see section below for more information).
  • New password: to change the password for the current user.
  • Enroll: view and change the enrollments for the current user.

Secure Service Desk

This is the interface for service desk agents where all actions for helping users can be performed. Note that the interface is empty until you search for a particular user.

Searching for a user

Before any actions on behalf of users calling in to the service desk can be performed, the user in question has to be found in Active Directory.

  1. Fill in the user’s name or username in the top right search field and click the search icon.
  2. If there is only one match, the user’s information will be displayed. In case of partial matches a list of possible Active Directory names will be displayed.
  3. Choose the correct user from the list.

Verify Identity

Until a user’s identity has been verified, a red user icon with a strike through it will appear in the top right corner of the service desk interface.
Service desk agents can verify the identity of the user calling in to the Secure Service Desk by having the user authenticate with any of the identity services the user has previously enrolled with.
Note that if the Enforce identity verification setting has been enabled, the user’s identity has to be verified before other actions (reset password, and unlock computer) can be performed.

  1. Once the user has been found in Active Directory, click on the Verify identity tab.
  2. Click on the identity service you want the user to authenticate with. The user will be prompted on their computer to authenticate. Note that until the user has authenticated, the service desk agent should leave the Verify identity tab open.
  3. Once authenticated, the service desk agent will receive a success page, and all other service desk actions can be performed.

Alternatively, if the enrolled identity services are not used, the service desk agent can send a text message, Email, or PingID push (Quick Verification) containing a code. This message will be sent to the mobile number associated with the user in Active Directory or appear in the PingID app if that option was chosen. Once received, the user should either read the code to the service desk agent to confirm their identity, or acknowledge the push message from the PingID app. Note that the option to send a code by text message will not appear on screen if the user’s mobile phone number has not been registered in Active Directory; the option to send a Quick Verification will not appear if the user’s email has not been registered in Active Directory.

Quick Verification with Symantec VIP and Okta

Quick verification with Symantec VIP/Okta works in much the same way as PingID.

NOTE
Make sure the user is enrolled with Symantec VIP/Okta in order to use this identity service.

Verify by push notification

(available if the user has a push-enabled device enrolled and active with Symantec VIP/Okta, or if text messages have been enabled for Okta)

  1. Click on the Symantec VIP/Okta tab in Quick Verification.
  2. Click Start; a push notification will be sent to the user being verified.
    NOTE
    For Okta, if the user has access to multiple notification methods, an additional screen will be shown to the Service Desk agent where they can choose which type of message to send: Text Message, Push request, Enter Code. If only one method is available, this will be selected automatically. See the section Verify by code for more information.
  3. The user can acknowledge the push notification which will verify their identity.

Verify by code

  1. Click on the Symantec VIP/Okta tab in Quick Verification.
  2. Click Start.
  3. Click the Enter Code link.
    NOTE
    For Okta, if the user has access to multiple notification methods, an additional screen will be shown to the Service Desk agent where they can choose which type of message to send: Text Message, Push request, Enter Code. If only one method is available, this will be selected automatically.
  4. In case of Symantec VIP, if the user has the Symantec Desktop App installed, they can retrieve the code from there. Alternatively, the agent can have a code sent to them via SMS or phone call by clicking the appropriate button. Note that this option will be shown automatically if the user only has SMS notification enabled.
  5. Have the user read the code, and enter it in the field, then click Verify.

Manager Identification

There may be situations in which users are unable to verify their identity themselves due to communications/data restrictions. In those cases it can be beneficial to have the user's manager identify their identity for them.

Enabling Manager Identification
  1. In Authentication Web go to Service Desk, and access the Settings tab.
  2. Check the Manager identification as Quick verification checkbox.
  3. Click Save.
Using Manager Identification as Quick Verification

The following is an example of how this quick verification method can be used.

  1. When the user calls into the Service Desk, click on Verify Identity.
  2. Under Quick Verification, choose Manager Identification. You will see a message saying "You can identify the identity of [user_name] by sending a verification request to the manager of [user_name]."
  3. Click Start.
  4. The manager (if registered as such in Active Directory) will receive an email asking to verify the user. It is up to the manager (and the user in question) to make sure the correct user is verified (e.g. by calling the user).
  5. The manager clicks Continue in the Manager Identification email. The manager will be redirected to a browser window with the Service Desk verification request.
  6. The manager clicks Verify to verify the user.
    WARNING
    It is essential in these types of scenarios that the manager is aware of the Service Desk call, and that they ascertain that it is in fact the user in question who is trying to get verified.

Identity Verification and security

If Enforce identity verification is enabled, the service desk agent is required to verify the identity of the user before being able to either reset the password or unlock the user’s computer, thereby increasing the security of the interaction. Once the identity is verified, the interaction with the Service Desk will rely on the creation of secure session tokens to maintain session integrity.

In a typical service desk session, the service desk agent issues an identification request to the user, using one of the user’s identity services. Once the user has authenticated with the identity service, the secure token is created. This token is shared between the specific service desk agent and the user for the duration of the session. Every interaction (password reset, unlock computer) is validated against this token. For the duration of the session, the token will only work for the service desk agent who initiated the identity verification, to perform action for the user who verified their identity.

Traceability
Besides providing a secure way to authorize actions from the Service Desk, the tokens also allow for the creation of a continuous event log associated with every Service Desk session. This makes every session trackable and searchable. All information regarding the session is accessible through the Reporting menu. More information on logging features and reports can be found in the Reporting section above.

Reset Password

Once the user has been found and their identity verified, the service desk agent can reset the password for the user.

  1. Click on the Reset password tab.
  2. Do one of the following:
    1. Enter a new password manually. Make sure it adheres to the password rules, which are listed underneath the text field.
      This option is not available if the System-generated passwords option is enabled in the settings. See Reset password settings section below for more information.
    2. Click the Generate button. This will generate a new password, which will adhere to the password rules. The service desk agent can never see this password.
  3. Under Options, check the “[user] must change password upon next logon.” option, to make sure that the user changes their password next time they log on.
  4. In the notification section, check the boxes for each notification method to use. The following notification methods are available (note that more than one notification method can be chosen):
    • To user via email (the mail will be sent to the email address associated with the user in Active Directory)
    • To user via text message (the text will be sent to the mobile number associated with the user in Active Directory)
    • To manager via email (the text will be sent to the manager associated with the user in Active Directory). This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
    • To manager via text (the text will be sent to the manager associated with the user in Active Directory). This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
    • To custom email. Use the dropdown to choose between different registered domains. This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
    • By reading it to the user.
      If the System-generated passwords option has been enabled in settings, the Service Desk agent will not be able to read the new password.
    User's email and text message are only visible if these have been configured in Active Directory. Send to manager and custom email are only visible if the correct options have been enabled in the settings, and if the user's manager has been configured in Active Directory.See Reset password settings section below for more information.
  5. Click the Reset password button.

For information on password reset options (settings), see the Configuring settings for Secure Service Desk section.

Unlock Computer

For users whose computers have been encrypted with Bitlocker or Symantec Endpoint Encryption, the service desk can assist in unlocking a locked computer. The service desk agent will be presented with a series of screens that will guide the user through the unlocking process and provide the response key required for unlocking the computer.

  1. Once the user’s identity has been verified, click the Unlock computer tab.
  2. Choose the correct encryption software (Bitlocker or Symantec) according to what the user is running. For users running Symantec Endpoint Encryption, an additional choice will have to be made depending to the type of Symantec:
    1. Native Symantec Endpoint Encryption (recognizable by the last logon time indicated on the screen)
    2. Symantec Endpoint Encryption for Bitlocker (user’s screen says Bitlocker Recovery)
    3. Older versions of Symantec Endpoint Encryption (user’s screen says WDRT token)
  3. Depending on the type of encryption, a particular number has to be input by the service desk agent.
    1. Native Symantec Endpoint Encryption: Sequence number
    2. Symantec Endpoint Encryption for Bitlocker: Recovery Key ID
    3. Older versions of Symantec Endpoint Encryption: Machine/Disk ID (UUID or DISKID)
    4. Native Bitlocker: Recovery Key ID
  4. Choose how to relay the recovery key to the user. Note that multiple methods can be chosen. Check the desired method, or check none if the service desk agent chooses to only read the number to the user.
    • To user via email (the mail will be sent to the email address associated with the user in Active Directory)
    • To user via text message (the text will be sent to the mobile number associated with the user in Active Directory)
    • To manager via email (the text will be sent to the manager associated with the user in Active Directory). This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
    • To manager via text (the text will be sent to the manager associated with the user in Active Directory). This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
    • To custom email. Use the dropdown to choose between different registered domains. This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
    • By reading it to the user.
  5. Click Continue; the service desk agent will be presented with a Recovery key. If none of the methods above (email or text message) was chosen, the number needs to be read to the user for them to input it on their computer.
    NOTE
    for users running native Symantec Endpoint Encryption, there will be a checksum code above the Recovery key field that can be used to verify that the user has entered the correct key into their computer (in which case they codes should match).

Enabling additional notification methods

In addition to the user's email and mobile phone, several additional notification methods can be enabled. This is especially helpful if the user's email and mobile number have not been configured in Active Directory. The following methods can be enabled:

  • Send to manager (email and text message, if correctly configured in Active Directory)
  • Send to custom email

  1. Select Service Desk in the left navigation.
  2. Click the Settings tab.
  3. Expand Key Recovery options.
  4. Check Enable sending the Recovery Key to managers to enable sending to a manager.
  5. Check Enable sending the Recovery Key to custom email addresses to enable sending to custom emails.
  6. Click Save.

Enrollment

Here you can see what identity services the user has enrolled with. Here you can also add enrollments for identity services ( and Mobile Code (SMS)) without user intervention. Certain identity services can also be removed so that the user can re-enroll with them.

Add Enrollment

If configured, Service Desk agents can enroll users with and/or Mobile Code (SMS) without any user intervention.

NOTE
Enrollments can only be added after the user's identity has been verified. See Verify Identity for more information on identity verification.
NOTE
Only those identity services that are correctly configured will be shown on the Add enrollment page.
Configuring Add Enrollment
  1. Go to Secure Service Desk > Settings
  2. Open Enrollment options
  3. Check the option Allow Service Desk agent to enroll users
  4. Make sure the identity services are configured correctly to allow adding enrollments.
    NOTE
    The setting Update mobile in AD needs to be set to one of the following:
    • Always
    • If number is missing in Active Directory
    • Store in user subobject (encrypted)
    Note also that if the setting is set to If number is missing in Active Directory and the number is already present in Active Directory, the Add enrollment feature will not work.
Adding enrollment for a user
  1. Verify the user (see Verify Identity for more information)
  2. Click Enrollment
  3. In the User enrollment info section, click the Add enrollment button
  4. Enter the user's phone number or personal email and click Send Code
  5. Have the user read the verification code they received to the Service Desk agent
  6. Enter the verification code in the Verify Code field, then click Add Enrollment
    7. NOTE
    Once the user has been enrolled with the identity service, it will appear in the Enrolled Identity Service list.
Troubleshooting Add Enrollment

If the Add enrollment button is inaccessible, administrators should check the following:

  • Check that Add Enrollment is enabled in the Secure Service Desk Settings (Enrollment options).
  • Check that the Mobile Code (SMS) and/or identity services are enabled.
  • Check that the settings for the Mobile Code (SMS) identity service allow adding the user's mobile number to AD.
    NOTE
    The feature will also not be available if the Update moble number in AD setting is set to If number is missing in Active Directory and there is already a number present in AD.

User Details

This section shows the details for the user currently accessed by the service desk agent. It contains information on User info (information registered in Acive Directory), Password info (information on password expiration and Specops Authentication enrollment), and History (events recorded for this user in the Service Desk).