Specops Secure Service Desk

From the Gatekeepers menu, you can see a list of your Gatekeepers, and their connection status. For redundancy, set up and configure additional Gatekeepers.

Create and install new Gatekeeper

1. Login to the Specops Authentication Web .
2. Click Gatekeepers.
3. Click New.
4. Click Download on Default self extracting installation package.
   NOTE

   Take note of the activation code displayed on screen as you will be prompted for it during installation.
5. Run the installation file.
6. Complete the installation steps.
7. Go back to the Gatekeepers page in Specops Authentication Web, and ensure that the Gatekeeper priority is as needed.

Unregistering Gatekeepers

Clicking on a Gatekeeper in the list will bring you to the details page for that Gatekeeper. Here you can also unregister the Gatekeeper in question. However, it is recommended to unregister any Gatekeepers from the Gatekeeper Admin Tool. For more information on how to unregister Gatekeepers, please refer to the Managing offline Gatekeepers section on the Gatekeeper Admin Tool page.

From the Cloud Accounts menu, you can:

• View a list of existing Cloud accounts
• Add new Cloud accounts
• Delete Cloud accounts
• Generate an enrollment URL for a new Cloud account

Viewing existing Cloud accounts

You can view a list of existing cloud accounts. You can also view additional details, such as: the account name, mobile phone number, the last time the password was changed, and the enrollment session expiry date if the user has a pending enrollment.

Adding a new Cloud account

To add a new Cloud account, you must be signed in with a Cloud account, or an Active Directory user account in the User Admin Group.

Authentication WebCloud Accounts

1. Click Add account.
2. In the Account email address field, enter the account name (UPN) of the user account. For example: username@domain.com
3. The Full cloud account name (upn) field is read-only. The full Cloud account name is automatically generated from the account name (UPN) specified in the Account email address field.
4. Click Save.

Generating an enrollment session URL for a Cloud account

You can generate an enrollment session URL for a Cloud account in the Cloud Accounts menu. An enrollment session URL enables a Cloud account to enroll, so that they can access the Admin pages in Specops Authentication Web. The URL must be copied and sent via email or text message.

1. Select a Cloud account from the list.
2. Click Generate next to the Enroll session URL field.
3. When the URL has been generated, click the Copy link link, to copy it.

Deleting a Cloud account

You can delete a Cloud account in the Cloud accounts menu.

1. Select an account from the list.
2. Click Delete Account.

Specops policies are collections of multi-factor authentication rules for the basic functionality of Specops Authentication. Separate policies can be configured for different Specops Authentication applications, as well as for the administrators for authentication for Authentication Web.

Configuring a policy

To configure a policy, click Configure next to each policy to set its authentication requirements.

1. In Authentication Web, go to Policies.
2. Click Configure.
3. Move any of the identity services you want to use from the Unselected Identity Services box on the right to the Selected Identity Services on the left by clicking the plus-icon next to the identity service.
4. You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Click here for additional guidance.
5. To require the user to use a specific identity service, select the Required
6. Configure the required weight (stars) for enrollment.
7. Configure the required weight (stars) for authentication.
   NOTE

   The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
8. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
9. Click Save when you are done.

Note that policies can also be affected by the settings for Geoblocking, and Trusted Network Locations.

Removing an identity service

To remove an identity service from a policy, do the following:

• In Authentication Web, go to Policies
• Click Configure
• Remove any of the identity services from your policy by clicking the minus-icon next to the identity service. The identity service will be moved to the Unselected Identity Services box on the right.

Policy configuration best practices

When configuring policies for multiple Specops applications (uReset, Authentication for O365, and Key Recovery) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.

When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.

For more information on enrollment, please refer to the Best Practices document.

Weak identity services

Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:

• Security questions
• Mobile Code (SMS)
• Personal Email

Enrollment security modes

When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.

There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).

Low security
Users are only required to provide their Windows password for identification.

Medium security
Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password.

High security
Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services.

Note: users will be presented with indentity services for (re-)enrollement if the user has been previously enrolled with said service, and it is part of a policy affecting the user. The user’s Windows identity is always part of the (re-)enrollment procedure.

Note:the low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.

Auto-enrolled identity services and security modes

For medium- and high security modes, users who are affected by policies that include auto-enrolled identity services, such as Duo Security and Okta, will have to authenticate with the auto-enrolled identity service on the enrollment page. This means that users will have to have their enrollment with Duo Security or Okta in place before they can enroll with Specops Authentication .

Lockout settings

The identity services Mobile Code (SMS), Email, and Personal Email can be configured to be locked out after wrong inputs by the user. To configure these lockout settings, go to the Identity Services menu in Authentication Web , and click on the settings icon next to the identity service in question. The following can be configured:

• Lockout threshold: determines how many times wrong input can be provided.
• Lockout duration in minutes: determines how long the identity service will be locked out for.

Trusted Network Locations setting

When this setting is enabled, users can only enroll when authenticating from one of the Trusted Network Locations specified by administrators. For more information, see Trusted Network Locations.

You can find a full list of available identity services under the Identity Services tab. You can enable/disable identity services all of the identity services in this list. You configure some of these identity services and manage their system-wide settings on this page.

If an identity service is configurable, you will see a next to it.

If an identity service is disabled, you will see a next to it.

If an identity service has been enabled, you will see a next to it.

Examples:

• A configurable identity service that is currently disabled.

• A configurable identity service that is currently disabled.

Once you configure an identity service and enable it, your user will be able to enroll and authenticate with it. If you disable it, the identity service will no longer be available.

The following identity services can be configured:

• Duo Security: Duo Security is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Duo Security mobile app. They must then enter the code to successfully authenticate. To configure Duo Security, see here.

• SITHS eID: SITHS eID is a smart card-based authentication service, that enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves. To configure SITHS eID, see here.

• Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. This identity service is fully configurable, meaning administrators can decide on the content of the authentication request notification and whether a manager must authenticate before they can approve an authentication request. Each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users. To configure Manager Identification, see here.

• Mobile Code (SMS): If users choose to enroll with Mobile Code (SMS), they must enter their mobile phone number. They will then receive a one-time four-digit code via an SMS message, which must be entered in order to successfully authenticate. To configure Mobile Code (SMS), see here.

• Freja: If users choose to enroll with Freja, they need to authenticate in the Freja app on their device. To configure Freja, see here.

• Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully. To configure Secret Questions, see here.

• Symantec VIP: Symantec VIP is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Symantec VIP mobile app. They must then enter the code to successfully authenticate. To configure Symantec VIP, see here.

• Email and Personal Email: the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. Email does not require enrollment, since it references the email address in the email attribute in AD (or any other attribute if it is overridden); it can only be used with domains associated with Specops Authentication . Personal Email has to be registered at enrollment by the user and they may use any email address of their choosing.

• Okta: Okta is a two-step verification service. When users authenticate, they will receive a a notification in their Okta mobile app. They must then acknowledge that notification in order to verify their identity. Users can also choose to have an Okta code sent to them in a text message. To configure Okta, see here.

• Yubikey: The Yubikey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function). For more information on Yubikey, refer to the Yubikey page.

There are a number of customization features that give you control over the Specops Authentication end–user interface, including: logos, text, and colors.

Changing the main logo

The logo at the top left of the page, both in Authentication Web and the Authentication Client, can be changed to match your requirements.

Authentication WebCustomization

1. Click Browse and select the image you want to use.
2. Click OK.
3. Click Upload to place the image.

To revert to the default image, click Default.

Main logo image specifications

The following specifications apply to the main logo image:

• Supported file types: png, gif, jpg.
• Maximum file size: one megabyte (1 MB).
• Transparency in png images will be rendered as expected, with the background color showing through the transparent parts.
• Image will be rendered with a height of 40 pixels.
  • Aspect ratio of the uploaded file will always be kept intact.
  • Images with a height less than 40 pixels will be scaled up to 40 pixels. The quality of the rendered image will decrease.
  • Images with a height above 40 pixels will be scaled down to 40 pixels. Quality is not necessarily affaected.
  • For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.

Changing the login image

You can also change the image on the login page that is presented to users.

1. Click Browse and select the image you want to use.
2. Click OK.
3. Click Upload to place the image. The image will appear at the top left of the page.

To revert to the default image, click Default.

Login image specifications

The specifications for the login image are the same as for the logo (above), except for the size. The login image has a maximum width of 235 pixels. Images less than 235 px wide will be scaled up (which will decrease the quality of the image), and images more than 235 px wide will be scaled down. The aspect ratio of the original image will always be kept in the rendered image.

Changing the colors

Various colors in the interface can be change to match your comapny’s look and feel. The colors that can be changed are:

• Page background (page’s main content area)
• Menu background (top and side navigation)
• Sign-in background (login page)
• Default button (primary buttons)
• Secondary button (buttons such as Cancel etc.)
• Information box background (textboxes with additional information)

To change the color:

1. Select the checkbox next to the color you want to change.
2. Select the color you want to use:
   • Click the color-picker icon and select the color you want, then click OK.
   • Enter the HTML color code (hexadecimal color code) in the text field.

To revert a particular item to its default color, uncheck the Customized checkbox for that item and click Save

To revert to the default color for all elements, click Default.

Changing the texts

Various texts that are presented to the user in messages and notifications can also be changed.

1. Select the language you want to make changes to by clicking the tab for that language.
2. Click the text element you want to change, for example Enroll_Completed_Header.
3. Select Use custom.
4. Enter the text you want to use in the Custom text field and click Save. The Customized column in the list will now show a checkmark at the text element you changed, while the Current value shows the new text.

To revert to the default text, click the text element, and select Use original, then Save. This will delete the custom text. Note that only deleting the custom text will not revert the text element to the default state (instead, the text field will then be blank).

Changing the names of identity services

The names of some identity services can be changed to better reflect the way in which they are used in your organization. The identity service names that can be changed are:

• Email (IdService_PrimaryEmail)
• Manager Identification (IdService_ManagerIdentification)
• Mobile Code (IdService_MobileCode)
• Personal Email (IdService_AlternateEmail)
• Secret Questions (IdService_QAndA)
• Windows Identity (IdService_WindowsIdentity)

Identity service names are changed in the same way as other texts, in the Texts table.

Setting a fallback language

The fallback language allows administrators to designate secondary customized language strings in case no customized strings exist in the language the end user has set as their interface language. This means that administrators can make sure the correct text is always presented to the user.

1. In Authentication Web go to Customization > Texts
2. Click on the tab of the language you want to set as the fallback language, and click Set as fallback language.
   NOTE

   If a language has been set as the fallback language, the button will allow you to disable the fallback language, otherwise it will allow you to set it.

The order in which text strings are shown to the user is as follows:

1. Customized value for the user’s current language.
2. Customized value for the fallback language (if no customized value exists for the current language).
3. Default text for the current language (if there are no customized values for either the current language or the fallback language).

This feature can be used to make sure that important custom message are always displayed to users, even when not all available languages have been updated with the same custom message. Example: if you have a custom message for the Enroll Completed message (Enroll_Completed_Message) in French, you can set English as the fallback language and make sure that the Enroll_Complete_Message string in English also has a customized value. If a user has their language set to anthing other than French or English, they will still see the English message, even if there is no customized text for their current language.

The Reporting menu contains several helpful reports. Browse through the available tabs to view the reports.

• Usage: From the Usage tab you can view completed enrollments, completed authentications, as well as text message activity (such as notifications, or Mobile Code (SMS) usage).
• Auditing: From the Auditing tab you can track event changes in uReset. Click Get Events for a complete list of events. Alternatively, filter by resource, or date. The results will be displayed, and you can click on each event for more details.
• System Events: From the System Events tab you can view the log operations performed by uReset. The displayed information, warnings, and errors, are intended for administrators who are responsible for troubleshooting the system. Click Find without any filtering information for a complete list of activities. Alternatively, filter the activities by type, severity, dates, user, event name, and activity id. The results will be displayed. You can click on each event for more details, including troubleshooting information.
• Not Enrolled Users: From the Not Enrolled Users tab you can track enrollment progress by generating and exporting reports related to user enrollments.

You can see the status of your uReset subscription, including enabled features and identity services from the Subscriptions tab. You can also see usage statistics including completed authentication by month, and all time.

From the Account menu, you can add multiple domains to your Specops Authentication organization account, manage CAPTCHA settings, and manage your custom email settings.

Domains

To add multiple domains to your uReset organization account.

1. Select Account in Authentication Web.
2. In the Domain names tab, click Add new.
3. Enter the domain name in the Domain name field, and click Save.

You can designate domains associated with your account as verified to ensure an extra level of security. You can read more about Domain Verification here.

Domain Name Protection ensures that your Specops Authentication account cannot be accessed automatically using your registered domain name. You can read more about Domain Name Protection here.

Preferred Domain

When you have multiple domains registered, you can designate one of them to be the preferred domain. This will then be the domain shown in all URLs associated with Specops Authentication after the ?domain= parameter (Admin pages, enrollment, etc.).

Setting the preferred domain

1. Select Account in Authentication Web
2. In the Domain names list, click Edit for the domain you want to set as the preferred domain.
3. Select the Set as preferred domain checkbox.
4. Click Save

CAPTCHA

In this tab you can configure the settings to dynamically display a CAPTCHA. CAPTCHA is used to prevent scripted username harvesting. This setting will protect the endpoints where a user enters their username. If CAPTCHA is enabled, any suspicious attempts at accessing the endpoints will prompt the user with a CAPTCHA challenge. The Google reCAPTCHA technology is used. It is recommended to enable CAPTCHA.

You can set CAPTCHA to one of the following:

• Disable Captcha: disables CAPTCHA entirely.
• Enabled Captcha for requests from untrusted network locations: when Trusted Network Locations is enabled, this option will enable CAPTCHA only for users connecting from IP addresses outside of your trusted network locations.
• Enable Captcha always: this enables Captcha for all users.

CAPTCHA for ADAL browsers

The ADAL browser is a custom browser from Microsoft that is used to perform a delegated authentication from, for example Microsoft Outlook or Microsoft Word. These browsers are not fully compatible with Google reCAPTHA and the end user may be presented with many CAPTCHA challenges in succession. To prevent users from being presented with multiple CAPTCHA challenges, you can check the the CAPTCHA Enabled in ADAL browsers checkbox.

Email settings

If you would like to have enrollment-, authentication-, and user identity verification emails sent from a custom email address, you can configure this here.

1. Click on the Email settings tab
2. Click on the current email to enter the Email settings
3. Set the Sender Display Name, the Sender Address, and select the domain from the dropdown.
   NOTE

   Only your verified domains and any additional domains you have registered will appear in the dropdown. For more information on email notifications from SA, see this knowledge base article.
4. Click Save
NOTE
Clicking Reset to System Default will revert the email settings back to the default email address set by Specops (from specopssoft.com). This will delete the current email setting.

Configuring DKIM Records for email

DomainKeys Identified Mail (DKIM) is an authentication standard used to prevent email spoofing. Specifically, DKIM attempts to prevent the spoofing of a domain that's used to deliver email.

DKIM employs the concept of a domain owner who controls the DNS records for a domain. When sending email with DKIM enabled, the sending server signs the messages with a private key. A domain owner also adds a DKIM record, which is a modified TXT record, to the DNS records on sending domain. This TXT record will contain a public key that's used by receiving mail servers to verify a message's signature.

1. Send a request for DKIM to Product Support (you can use this form).
2. Product Support has a DKIM record generated, which is sent to you.
3. Add the DKIM record to your DNS record.
4. Once added, Product Support can verify the existence of the record.

Information

The Information tab displays information on account creation date and the date the terms of service were accepted.

Delete Account

Accounts can be deleted by contacting Specops.

You can refresh the enrollment statistics, found on the Reporting page, by starting a new user count. By default, the nightly user count will be performed at 4:00 AM UTC.

The last count statistics can also be found on the page.

Configuring user counting time

Here you can configure at what time user counting will run on the Gatekeeper.

1. Set the time you want user counting to run.
   NOTE

   Time is set in Coordinated Universal Time (UTC).
2. Mark the checkbox Send enrollment reminders when the counting is complete in order to send enrollment reminders to users whenever user counting is run.
3. Click Save Settings.

Manually initiate user counting

User counting can be started at any time by clicking the Start Counting button.