Authentication Web

The Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources.

Once you have installed and configured the Gatekeeper, users that are members of the Authentication Admin Group can further configure the solution from the Authentication Web :

https://login.specopssoft.com/authentication/admin (US datacenter)

https://eu.login.specopssoft.com/authentication/admin (EU datacenter)

Gatekeepers

From the Gatekeepers menu, you can see a list of your Gatekeepers, and their connection status. For redundancy, set up and configure additional Gatekeepers.

Creating and installing a new Gatekeeper

    Specops Authentication WebGatekeeper

  1. Login to the Specops Authentication Web .
  2. Click Gatekeepers.
  3. Click New.
  4. Click Download on Default self-extracting installation package.
    NOTE
    Take note of the activation code displayed on screen as you will be prompted for it during installation.
  5. Run the installation file.
  6. Complete the installation steps.
  7. Go back to the Gatekeepers page in Specops Authentication Web, and ensure that the Gatekeeper priority is as needed.

Unregistering Gatekeepers

Clicking on a Gatekeeper in the list will bring you to the details page for that Gatekeeper. Here you can also unregister the Gatekeeper in question. However, it is recommended to unregister any Gatekeepers from the Gatekeeper Admin Tool. For more information on how to unregister Gatekeepers, please refer to the Managing offline Gatekeepers section on the Gatekeeper Admin Tool page.

From the menu, you can:

  • View a list of existing Cloud accounts
  • Add new Cloud accounts
  • Delete Cloud accounts
  • Generate an enrollment URL for a new Cloud account

Viewing existing Cloud accounts

You can view a list of existing cloud accounts. You can also view additional details, such as: the account name, mobile phone number, the last time the password was changed, and the enrollment session expiry date if the user has a pending enrollment.

Adding a new Cloud account

To add a new Cloud account, you must be signed in with a Cloud account, or an Active Directory user account in the User Admin Group.

    Authentication Web

  1. Click .
  2. In the field, enter the account name (UPN) of the user account. For example: username@domain.com
  3. The Full cloud account name (upn) field is read-only. The full Cloud account name is automatically generated from the account name (UPN) specified in the field.
  4. Click Save.

Generating an enrollment session URL for a Cloud account

You can generate an enrollment session URL for a Cloud account in the Cloud Accounts menu. An enrollment session URL enables a Cloud account to enroll, so that they can access the Admin pages in Specops Authentication Web. The URL must be copied and sent via email or text message.

NOTE
An enrollment URL will expire 2 hours after it has been generated. If the URL expires before it is used, a new one must be generated.

Administrators can actively revoke the link before the expiration time ends by clicking the Revoke link at the bottom of the window.

    Authentication Web

  1. Select a Cloud account from the list.
  2. Click next to the field.
  3. When the URL has been generated, click the link, to copy it.

Deleting a Cloud account

You can delete a Cloud account in the Cloud accounts menu.

WARNING
If you are a member of the “Admin group”, you will have the ability to delete another Cloud account.

    Authentication Web

  1. Select an account from the list.
  2. Click .
  3. In the confirmation dialog box, click Delete

Policies

Specops policies are collections of multi-factor authentication rules for the basic functionality of Specops Authentication. Separate policies can be configured for different Specops Authentication applications, as well as for the administrators for authentication for Authentication Web.

Configuring a policy

To configure a policy, click Configure next to each policy to set its authentication requirements.

    Authentication WebYour product

  1. Click Configure or Edit Authentication Rules.
  2. Move any of the identity services you want to use from the Unselected Identity Services box on the right to the Selected Identity Services on the left by clicking the plus-icon next to the identity service.
  3. You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Please refer to the Identity service weight assignment page for additional guidance.
  4. To require the user to use a specific identity service, select the Required checkbox.
  5. Configure the required weight (stars) for enrollment.
  6. Configure the required weight (stars) for authentication.
    NOTE
    The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
  7. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
  8. Click Save when you are done.

Note that policies can also be affected by the settings for Geoblocking, and Trusted Network Locations.

Removing an identity service

To remove an identity service from a policy, do the following:

    Authentication WebYour product

  1. Click Configure or Edit Authentication Rules
  2. Remove any of the identity services from your policy by clicking the minus-icon next to the identity service. The identity service will be moved to the Unselected Identity Services box on the right.

Policy configuration best practices

When configuring policies for multiple Specops applications (uReset, Authentication for O365, and Key Recovery) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.

When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.

For more information on enrollment, please refer to the Best Practices document.

Weak identity services

Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:

  • Security questions
  • Mobile Code (SMS)

Enrollment security modes

When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.

There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).

Low security
Users are only required to provide their Windows password for identification.

Medium security
Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password.

High security
Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services.

Note: users will be presented with indentity services for (re-)enrollement if the user has been previously enrolled with said service, and it is part of a policy affecting the user. The user’s Windows identity is always part of the (re-)enrollment procedure.

Note:the low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.

Auto-enrolled identity services and security modes

For medium- and high security modes, users who are affected by policies that include auto-enrolled identity services, such as Duo Security and Okta, will have to authenticate with the auto-enrolled identity service on the enrollment page. This means that users will have to have their enrollment with Duo Security or Okta in place before they can enroll with Specops Authentication .

Lockout settings

The identity services Mobile Code (SMS), Email, and can be configured to be locked out after wrong inputs by the user. To configure these lockout settings, go to the Identity Services menu in Authentication Web, and click on the settings icon next to the identity service in question. The following can be configured:

  • Lockout threshold: determines how many times wrong input can be provided.
  • Lockout duration in minutes in minutes: determines how long the identity service will be locked out for.

Trusted Network Locations setting

When this setting is enabled, users can only enroll when authenticating from one of the Trusted Network Locations specified by administrators. For more information, see Trusted Network Locations.

Identity Services

You can find a full list of available identity services under the Identity Services tab. You can enable/disable identity services all of the identity services in this list. You configure some of these identity services and manage their system-wide settings on this page.

If an identity service is configurable, you will see a Identity service cog icon next to it.

If an identity service is disabled, you will see a Identity service cross icon next to it.

If an identity service has been enabled, you will see a Identity service check icon next to it.

Examples:

  • A configurable identity service that is currently disabled.

Alt text for this image

  • A configurable identity service that is currently disabled.

Alt text for this image

Once you configure an identity service and enable it, your user will be able to enroll and authenticate with it. If you disable it, the identity service will no longer be available.

Alt text for this image

The following identity services can be configured:

  • Duo Security: Duo Security is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Duo Security mobile app. They must then enter the code to successfully authenticate. To configure Duo Security, see here.

  • Email and : the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. Email does not require enrollment, since it references the email address in the email attribute in AD (or any other attribute if it is overridden); it can only be used with domains associated with Specops Authentication . has to be registered at enrollment by the user and they may use any email address of their choosing.

  • Freja: If users choose to enroll with Freja, they need to authenticate in the Freja app on their device. To configure Freja, see here.

  • Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. This identity service is fully configurable, meaning administrators can decide on the content of the authentication request notification and whether a manager must authenticate before they can approve an authentication request. Each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users. To configure Manager Identification, see here.

  • Entra ID: allows Specops Authentication to integrate with Microsoft Authentication Libraries. Microsoft Authenticator can be used to authenticate with Specops Authentication without using a password.

  • Mobile Code (SMS): If users choose to enroll with Mobile Code (SMS), they must enter their mobile phone number. They will then receive a one-time four-digit code via an SMS message, which must be entered in order to successfully authenticate. To configure Mobile Code (SMS), see here.

  • Okta: Okta is a two-step verification service. When users authenticate, they will receive a a notification in their Okta mobile app. They must then acknowledge that notification in order to verify their identity. Users can also choose to have an Okta code sent to them in a text message. To configure Okta, see here.

  • Passkeys: Users can authenticate with passkeys passkeys they have already set up on their device. Passkeys are digital credentials (authenticators), tied to a user account and a website or application. Some examples of passkeys are Windows Hello, Yubikey, Bitwarden and any authentication app such as Google Authenticator.

  • PingID: With PingID, users can authenticate using the PingID mobile app.

  • Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully. To configure Secret Questions, see here.

  • SITHS eID: SITHS eID is a smart card-based authentication service, that enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves. To configure SITHS eID, see here.

  • Specops Fingerprint: Specops Fingerprint enables users to enroll and authenticate using devices with fingerprint scanners, such as smart phones and tablets. Users can press their finger to the fingerprint scanner on their device to instantly identify themselves. Users can also use Face ID to authenticate, if they own an iPhone X and above. In order to use this identity service, users must have the app installed on their mobile device.

  • Symantec VIP: Symantec VIP is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Symantec VIP mobile app. They must then enter the code to successfully authenticate. To configure Symantec VIP, see here.

  • Yubikey: The Yubikey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function). For more information on Yubikey, refer to the Yubikey page .

Customization

There are a number of customization features that give you control over the Specops Authentication end–user interface, including: logos, text, and colors.

The logo at the top left of the page, both in Authentication Web and the Specops Client, can be changed to match your requirements.

    Authentication WebCustomization

  1. In the Image tab, click Browse under Main logo and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image.

To revert to the default image, click Default.

Main logo image specifications

The following specifications apply to the main logo image:

  • Supported file types: png, gif, jpg.
  • Maximum file size: one megabyte (1 MB).
  • Transparency in png images will be rendered as expected, with the background color showing through the transparent parts.
  • Image will be rendered with a height of 40 pixels.
    • Aspect ratio of the uploaded file will always be kept intact.
    • Images with a height less than 40 pixels will be scaled up to 40 pixels. The quality of the rendered image will decrease.
    • Images with a height above 40 pixels will be scaled down to 40 pixels. Quality is not necessarily affaected.
    • For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.

Changing the login image

You can also change the image on the login page that is presented to users.

    Authentication WebCustomization

  1. In the Image tab, click Browse under Login image and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image. The image will appear at the top left of the page.

To revert to the default image, click Default.

Login image specifications

The specifications for the login image are the same as for the logo (above), except for the size. The login image has a maximum width of 235 pixels. Images less than 235 px wide will be scaled up (which will decrease the quality of the image), and images more than 235 px wide will be scaled down. The aspect ratio of the original image will always be kept in the rendered image.

Changing the colors

Various colors in the interface can be change to match your comapny’s look and feel. The colors that can be changed are:

  • Page background (page’s main content area)
  • Menu background (top and side navigation)
  • Sign-in background (login page)
  • Default button (primary buttons)
  • Secondary button (buttons such as Cancel etc.)
  • Information box background (textboxes with additional information)

To change the color:

    Authentication WebCustomization

  1. In the Style tab, select the checkbox in the Customized column next to the color you want to change.
  2. Select the color you want to use:
    • Click the color-picker icon in the Pick color column and select the color you want, then click OK OR
    • Enter the HTML color code (hexadecimal color code) in the text field.

To revert a particular item to its default color, uncheck the Customized checkbox for that item and click Save

To revert to the default color for all elements, click Default.

Changing the texts

Various texts that are presented to the user in messages and notifications can also be changed.

    Authentication WebCustomization

  1. In the Text tab, select the language you want to make changes to by clicking the tab for that language.
  2. Click the text element you want to change, for example Satisfied, header.
  3. Select Use custom.
  4. Enter the text you want to use in the Custom text field and click Save. The Customized column in the list will now show a checkmark at the text element you changed, while the Current value shows the new text.

To revert to the default text, click the text element, and select Use original, then Save. This will delete the custom text. Note that only deleting the custom text will not revert the text element to the default state (instead, the text field will then be blank).

Changing the names of identity services

The names of some identity services can be changed to better reflect the way in which they are used in your organization. The identity service names that can be changed are:

  • Email (IdService_PrimaryEmail)
  • Manager Identification (IdService_ManagerIdentification)
  • Mobile Code (IdService_MobileCode)
  • Personal Email (IdService_AlternateEmail)
  • Secret Questions (IdService_QAndA)
  • Windows Identity (IdService_WindowsIdentity)

Identity service names are changed in the same way as other texts, in the Texts table.

Enrollment

Text element Description Default text
Satisfied, header When a user has enrolled with enough identity services to meet the weight requirements, they are sent to a page telling them so and are given the option to continue or end the enrollment process. This is the header on that page. All done!
Satisfied, message When a user has enrolled with enough identity services to meet the weight requirements, they are sent to a page telling them so and are given the option to continue or end the enrollment process. This is the information text on that page. You have collected enough stars for your enrollment. Feel free to improve your enrollment information by collecting more stars.
Change Registrations, message This text is displayed on the page where the user selects identity services during the enrollment process. Specifically, this text is used when the user has opted to make changes to an already complete enrollment. Add or change identity services from the lists below. Make sure your star bar is still full after the changes.
Instructions This text is displayed on the page where the user selects identity services during the enrollment process. Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Reminder, header This is the header that will be displayed on the first page of the enrollment wizard, before the user needs to enter their password. Enrollment Reminder
Reminder, message This text will be displayed on the first page of the enrollment wizard, before the user needs to enter their password. You are required to enroll for the Password Reset service. Press the button below to start the enrollment wizard.
Finished, message This is displayed on the final page of the enrollment process after the user has enrolled with all available identity services or they have selected the "I'm done" option" and not "Collect more stars". You have completed the enrollment, you can now close this browser and move on with your day.
Already enrolled, header Already enrolled, header Enrolled
Already enrolled, message You are already enrolled! If you want to, you can enroll with additional identity services or make changes to the identity services you are enrolled with.

Mfa

Text element Description Default text
Select Identity Service, message This text is displayed on the page where the user selects identity services during the login process. Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Cannot enroll because no policy, header This title is displayed when a user who does not have a policy configured tries to sign in. You cannot enroll for this service
Cannot enroll because no policy, message This message is displayed when a user who does not have a policy configured tries to sign in. No policy has been configured for you for this service.
Enrollment Missing, header This header is displayed when a user is not enrolled for uReset and tries to reset their password. Enrollment missing
Cannot Reset Password, not enrolled with uReset This text is displayed when a user is not enrolled for uReset and tries to reset their password. You cannot reset your password because you have not enrolled for the reset password service.
Cannot Sign in from Untrusted IP This text is displayed to an end user when they are trying to sign in but are disallowed due to not connecting from a trusted network location. You cannot sign in to the {0} resource because you are not connecting from a Trusted Network Location.

Service Desk

Text element Description Default text
Search Users This text is displayed on the {0} start page. Use the search box to find users. You can search by account names, email addresses or users' real names.
Advanced Verification default text message body During advanced verification, a Service Desk agent can send a text message to the user containing a verification link. The message's default text is determined by this text message template. It can be changed by the Service Desk agent before sending. Verify your identity here {url}
Advanced Verification default email subject During advanced verification, a Service Desk agent can send an email to the user containing a verification link. The email's default text is determined by this email subject template. It can be changed by the Service Desk agent before sending. Verify your identity
Advanced Verification default email body During advanced verification, a Service Desk agent can send an email to the user containing a verification link. The email's default text is determined by this email body template. It can be changed by the Service Desk agent before sending. Use this link to verify your identity {url}
RSA SecurID token verification instructions Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. Enter a code from the {0} app.
RSA SecurID code verification instructions Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. Enter a code from the {0} app.
Password Reset - User Notification Message Body <p>Describes the text message body for the user password reset notification. This text should specify the message body details.</p> {password} will be replaced with the new user password - this placeholder is required.<br/> {upn} will be replaced with the user upn - this placeholder is not required.<br/> {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. Your new password is: {password}
Password Reset - Manager/Custom Notification Message Body <p>Describes the message body for the manager/custom password reset notification. This text should specify the message body details.</p> {password} will be replaced with the new user password - this placeholder is required.<br/> {upn} will be replaced with the user upn - this placeholder is not required.<br/> {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. The new password for {upn} is: {password}
Password Reset - User Notification Sms Body <p>Describes the message body for the user password reset notification. </p> {password} will be replaced with the new user password - this placeholder is required.<br/> {upn} will be replaced with the user upn - this placeholder is not required.<br/> {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. New password: {password}

Password change/reset

Text element Description Default text
Password Change - Success, message This text is displayed when the user is done with a password reset or a password change. Your password has been changed! If you are using a Windows computer, it is recommended to sign out and sign in again with your new password. Also, don't forget to update to your new password in for example the email app on your phone, if necessary.
Password Change - Success, message for Secure Browser This text is displayed when the user is done with a password reset or password change that started from the Windows identity password view. Your password has been changed! Don't forget to update to your new password in for example the email app on your phone, if necessary.
Password Change/Reset - Instructions, message This text is displayed above the password rules when a user is about to perform a password change or password reset.
Password Change/Reset - Instructions, message on mobile This text is displayed on small devices where the user clicks to expand the password instructions, above the password rules when a user is about to perform a password change or password reset. Show instructions
Password selection page - Instructions This text is displayed on the password start page where the user can select between a password change and a password reset. Need to change your password? If you know your current password, you can sign in with that in order to change it. If you have forgotten your password, you can use the second option to sign in and then reset your password.
Password selection page - Title This text is displayed on the password start page. This is the section title. New password
Password selection page - Change password button This button is displayed on the password start page. This button initiates a password change when the password is known. I know my password
Password selection page - Reset password button This button is displayed on the password start page. This button initiates a password change when the password is not known. I forgot my password

Other

Text element Description Default text
Username label on username page This text is displayed when a user enters their username during sign-in. Username
Username label on password page This text is displayed when a user enters their username during sign-in. Username
RSA SecurID token verification instructions Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. Enter a code from the {0} app.
RSA SecurID code verification instructions Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. Enter a code from the {0} app.
Unlock selection page - Instructions This text is displayed on the unlock start page where the user can unlock their account if the password is known. If you know your current password, but the account is locked out, you can unlock it to be able to sign in.
Unlock selection page - Title This text is displayed on the unlock start page. This is the section title. Unlock account

Identity Service

Text element Description Default text
Display name for Windows Identity This text will replace the display name for the Windows Identity identity service where the identity service is used. Windows Identity
Display name for Mobile Code This text will replace the display name for the Mobile Code identity service where the identity service is used. Mobile Code
Display name for Email This text will replace the display name for the Email identity service where the identity service is used. Email
Display name for PersonalEmail This text will replace the display name for the Personal Email identity service where the identity service is used. Personal Email
Display name for Manager Identification This text will replace the display name for the Manager Identification identity service where the identity service is used. Manager Identification
Display name for Secret Questions This text will replace the display name for the Secret Questions identity service where the identity service is used. Secret Questions

First Day Password

First Day Password
Text element Description Default text
First Day Password start page title Title for the First Day Password landing page Setting a password
First Day Password start page description Description on the First Day Password landing page It is time to select your first password. On the next page you will see a list of rules and restrictions for how a password can be constructed. Once you are happy with your password, you will need to repeat it in the second box.
Invalid First Day Password URL message Information to end user when the link has expired or is invalid This link for setting your password has expired or is invalid, contact your admin for help.
Not eligible for First Day Password Error message when a user is not eligible for First Day Password after signing in You are not currently eligible for the First Day Password process.
First Day Password set initial password information Optional information displayed to the user on top of the reset page when setting their first password.
First Day Password completed message This text is displayed when the First Day Password user is done with password setup. Your Windows password has now been set.

Setting a fallback language

The fallback language allows administrators to designate secondary customized language strings in case no customized strings exist in the language the end user has set as their interface language. This means that administrators can make sure the correct text is always presented to the user.

    Authentication WebCustomization

  1. In Authentication Web go to Customization > Texts
  2. Click on the tab of the language you want to set as the fallback language, and click Set as fallback language. The fallback language will be marked in bold.
    NOTE
    If a language has been set as the fallback language, the button will allow you to disable the fallback language, otherwise it will allow you to set it.

The order in which text strings are shown to the user is as follows:

    Authentication WebCustomization

  1. Customized value for the user’s current language.
  2. Customized value for the fallback language (if no customized value exists for the current language).
  3. Default text for the current language (if there are no customized values for either the current language or the fallback language).

This feature can be used to make sure that important custom message are always displayed to users, even when not all available languages have been updated with the same custom message. Example: if you have a custom message for the Enroll Completed message (Enroll_Completed_Message) in French, you can set English as the fallback language and make sure that the Enroll_Complete_Message string in English also has a customized value. If a user has their language set to anthing other than French or English, they will still see the English message, even if there is no customized text for their current language.

Reporting

The Reporting menu contains several helpful reports. Browse through the available tabs to view the reports.

  • Usage: From the Usage tab you can view completed enrollments, completed authentications, as well as text message activity (such as notifications, or Mobile Code (SMS) usage).
  • Auditing: From the Auditing tab you can track event changes in uReset. Click Get Events for a complete list of events. Alternatively, filter by resource, or date. The results will be displayed, and you can click on each event for more details.
  • System Events: From the System Events tab you can view the log operations performed by uReset. The displayed information, warnings, and errors, are intended for administrators who are responsible for troubleshooting the system. Click Find without any filtering information for a complete list of activities. Alternatively, filter the activities by type, severity, dates, user, event name, and activity id. The results will be displayed. You can click on each event for more details, including troubleshooting information.
  • Not Enrolled Users: From the Not Enrolled Users tab you can track enrollment progress by generating and exporting reports related to user enrollments.

Subscriptions

You can see the status of your uReset subscription, including enabled features and identity services from the Subscriptions tab. You can also see usage statistics including completed authentication by month, and all time.

From the menu, you can add multiple domains to your Specops Authentication organization account, manage CAPTCHA settings, and manage your custom email settings.

Domains

To add multiple domains to your uReset organization account.

    Authentication Web

  1. Select in Authentication Web.
  2. In the tab, click Add new.
  3. Enter the domain name in the field, and click Save.

You can designate domains associated with your account as verified to ensure an extra level of security. You can read more about Domain Verification here.

Domain Name Protection ensures that your Specops Authentication account cannot be accessed automatically using your registered domain name. You can read more about Domain Name Protection here.

Preferred Domain

When you have multiple domains registered, you can designate one of them to be the preferred domain. This will then be the domain shown in all URLs associated with Specops Authentication after the ?domain= parameter (Admin pages, enrollment, etc.).

Setting the preferred domain

    Authentication Web

  1. Select in Authentication Web
  2. In the list, click Edit for the domain you want to set as the preferred domain.
  3. Select the checkbox.
  4. Click Save

CAPTCHA

In this tab you can configure the settings to dynamically display a CAPTCHA. CAPTCHA is used to prevent scripted username harvesting. This setting will protect the endpoints where a user enters their username. If CAPTCHA is enabled, any suspicious attempts at accessing the endpoints will prompt the user with a CAPTCHA challenge. The Google reCAPTCHA technology is used. It is recommended to enable CAPTCHA.

You can set CAPTCHA to one of the following:

  • Disable Captcha: disables CAPTCHA entirely.
  • Enabled Captcha for requests from untrusted network locations: when Trusted Network Locations is enabled, this option will enable CAPTCHA only for users connecting from IP addresses outside of your trusted network locations.
  • Enable Captcha always: this enables Captcha for all users.

CAPTCHA for ADAL browsers

The ADAL browser is a custom browser from Microsoft that is used to perform a delegated authentication from, for example Microsoft Outlook or Microsoft Word. These browsers are not fully compatible with Google reCAPTHA and the end user may be presented with many CAPTCHA challenges in succession. To prevent users from being presented with multiple CAPTCHA challenges, you can check the the CAPTCHA Enabled in ADAL browsers checkbox.

NOTE
If SMTP settings have been configured in the Gatekeeper Admin Tool to use your own SMTP provider instead of the Specops Default Configuration (which uses third-party providers, such as SendGrid), this section will be disabled. In order to use the Default Configuration and configure the email settings here, log in to the Gatekeeper Admin Tool, go to Email configuration, click Edit, and change the dropdown to Specops Default Configuration. Then click OK twice.

If you would like to have enrollment-, authentication-, and user identity verification emails sent from a custom email address, you can configure this here.

NOTE
Setting this email address will not change your notification settings (e.g. for Specops uReset notifications).

    Authentication Web

  1. Click on the tab
  2. Click on the current email to enter the Email settings
  3. Set the , the , and select the domain from the dropdown.
    NOTE
    Only your verified domains and any additional domains you have registered will appear in the dropdown. For more information on email notifications from SA, see this knowledge base article.
  4. Click Save
    5. NOTE
    Clicking Reset to System Default will revert the email settings back to the default email address set by Specops (from specopssoft.com). This will delete the current email setting.

Configuring DKIM Records for email

DomainKeys Identified Mail (DKIM) is an authentication standard used to prevent email spoofing. Specifically, DKIM attempts to prevent the spoofing of a domain that's used to deliver email.

DKIM employs the concept of a domain owner who controls the DNS records for a domain. When sending email with DKIM enabled, the sending server signs the messages with a private key. A domain owner also adds a DKIM record, which is a modified TXT record, to the DNS records on sending domain. This TXT record will contain a public key that's used by receiving mail servers to verify a message's signature.

  1. Send a request for DKIM to Product Support (you can use this form).
  2. Product Support generates a DKIM record, which is sent to you.
  3. Add the DKIM record to your DNS record.
  4. Once added, Product Support can verify the existence of the record.

The tab displays information on account creation date and the date the terms of service were accepted.

Accounts can be deleted by contacting Specops.

User Counting

You can refresh the enrollment statistics, found on the Reporting page, by starting a new user count. By default, the nightly user count will be performed at 4:00 AM UTC.

The last count statistics can also be found on the page.

Configuring user counting time

Here you can configure at what time user counting will run on the Gatekeeper.

    Authentication WebReporting

  1. Set the time you want user counting to run.
    NOTE
    Time is set in Coordinated Universal Time (UTC).
  2. Mark the checkbox Send enrollment reminders when the counting is complete in order to send enrollment reminders to users whenever user counting is run.
  3. Click Save Settings.

Manually initiate user counting

User counting can be started at any time by clicking the Start Counting button.

Secure Service Desk

The Secure Service Desk provides all the tools necessary for your service desk agents to help users calling in with authentication problems. Specops Service Desk Agents can help users reset their passwords or unlock their computers (if encrypted with Bitlocker or Symantec) in a secure and easy to use environment, while Specops Service Desk User Verifiers can verify users and check enrollments. The Service Desk also holds user information and statistics.

NOTE
Note on phone numbers in Active Directory

Important: in order for text messaging to function correctly in the Service Desk, the mobile phone number registered in Active Directory has to follow the E.164 numbering plan format. This means that mobile phone numbers have to have the following format: +[country_code][subscriber_number_omitting_first_zero]. For example, for the Swedish (country code 46) phone number 073-3123456, the number in AD should be +46733123456; for the US (country code 1) phone number 415 555 2671, the format in AD should be +14155552671.

Note that registering phone numbers in Active Directory using any other format will result in the Specops Service Desk Agent being unable to send text messages to the user in question.

Secure Service Desk agent roles

There are two distict types of Secure Service Desk agents: Specops Service Desk Agent and Specops Service Desk User Verifier. These two types of agents each have a different set of permissions:

Specops Service Desk Agent has permissions to perform all actions in the Secure Service Desk.

Specops Service Desk User Verifiercan perform the following actions:

  • Verify Identity (both Quick and Advanced verification)
  • View user Enrollments
  • Send Enrollment links to users

Configuring a policy for access to the Secure Service Desk

For added security, you can configure multi-factor authentication policies for users (typically Specops Service Desk Agents) accessing the service desk.

    Authentication WebService Desk

  1. Click on Service Desk in the left navigation.
  2. Click on the Configure button to configure the policy.
  3. Configure the policy, then click Save.

Configuring settings for Secure Service Desk

On the Settings page you can configure the following:

  • Identity verification
  • Verification override URL
  • Password reset options
  • User privacy options
  • Key Recovery options
  • Enrollment options

Identity verification

Force identity verification

If this setting is enabled, the user’s password cannot be reset, nor can their computer be unlocked by the service desk, until the user's identity has been verified by having them authenticate with any of the identity services they have previously enrolled with.

    Authentication WebService Desk

  1. Click on Service Desk in the left navigation.
  2. Click on the Settings button to configure the settings.
  3. Click on the Identity Verification section.
  4. Check the Enforce identity verification checkbox, and click Save.
NOTE
When users have RSA hardware tokens with PIN, RSA will be the required advanced verification option.
Configure enabled verification methods

By default, all available (and future) verification methods are enabled in Service Desk. If you want to control which verification methods can be used in Service Desk, you can do that here.

NOTE
Remember that when this setting is enabled, newly introduced verification methods must be enabled through these settings before they can be used in the Service Desk.

    Authentication WebService Desk

  1. Click on Service Desk in the left navigation.
  2. Click on the Settings button to configure the settings.
  3. Click on the Identity Verification section.
  4. Click on the Configure enabled verification methods button.
  5. Check the Use only explicitly enabled verification methods checkbox.
  6. Enable or disable the verification methods of your choice by clicking their status button.

Verification override URL

Here you can enter a verification override URL which will be shown to a Service Desk agent when the verification URL can't be sent to the user directly. The service desk agent can then read the URL to the user. For more information on this feature and its set-up, see the Override URL page.

Password reset options

The following options can be enabled in the password reset settings:

  • Force users to change password after reset
    If this option is enabled, Service Desk agents cannot input passwords manually for resets. The new password will be sent to the user in an email or text message.
  • Allow manual password override (to override system-generated passwords if the System-generated passwords option has been enabled)
  • Allow only system-generated passwords (to enable the generation of passwords by the system; the Specops Service Desk Agent will not be able to read the generated password)
  • Notifications (see the Enabling additional notification methods section below)
Enabling additional notification methods

This section allows for configuring the notification possibilities for the Specops Service Desk Agent. In addition to the user's email and mobile phone, several additional notification methods can be enabled. This is especially helpful if the user's email and mobile number have not been configured in Active Directory. The following settings can be enabled:

  • Enable sending new passwords through email or text message: when this option is checked, the email and text notification methods are available to the Specops Service Desk Agent (provided that the attributes for the user are configured correctly in Active Directory)
  • To custom email: allows sending notification emails to email addresses other than those registered in Active Directory.
  • To manager: allows sending notifications to the user's manager (email and text message, if correctly configured in Active Directory)

    Authentication WebService Desk

  1. Select Service Desk in the left navigation.
  2. Click the Settings tab.
  3. Expand Password reset options.
  4. Check Enable sending new passwords to managers to enable sending to a manager.
  5. Check Enable sending new passwords to custom email addresses to enable sending to custom emails.
    This option is not available if the System-generated passwords option has been enabled. This is a security precaution to avoid having the Specops Service Desk Agent be able to read the generated password.
  6. Click Save

User privacy options

These options can be used to restrict Specops Service Desk Agents' access to certain user information. The following options are available:

  • Part of number: enables showing, hiding or only showing part of the user's phone number for the Specops Service Desk Agent.
  • Show/Hide (email): enables showing or hiding the user's email address for the service desk agent.
Hiding a user's phone number and/or email address

    Authentication WebService Desk

  1. Select Service Desk in the left navigation.
  2. Click the Settings tab.
  3. Expand User privacy options options.
  4. Set the first drop-down to Hide to hide the user's phone number from the service desk agent's view. Note that it is also possible to show part of the telephone number to the service desk agent.
  5. Set the second drop-down to Hide to hide the user's email from the service desk agent's view.
  6. Click Save

Key Recovery options

This section allows you to configure additional notifications for key recovery operations:

  • Enable sending the Recovery Key to managers: allows sending the Recovery Key to the user's manager if configured correctly in Active Directory.
  • Enable sending the Recovery Key to custom email addresses: allows sending the Recovery Key to emails other than those associated with the user in Active Directory. The custom emails are required to be in the registered domains.

Enrollment options

Here you can configure whether or not Specops Service Desk Agents can enroll users for certain identity services without user intervention. This feature can only be used when the user has been verified. For more information on this feature, please see the Enrollment section.

Configuring Add Enrollment

    Authentication WebService Desk

  1. Go to Secure Service Desk > Settings
  2. Open Enrollment options
  3. Check the option Allow Service Desk agent to enroll users
  4. Make sure the identity services are configured correctly to allow adding enrollments.
    NOTE
    The setting Update mobile number in AD needs to be set to one of the following:
    • Always
    • If number is missing in Active Directory
    • Store in user subobject (encrypted)
    Note also that if the setting is set to If number is missing in Active Directory and the number is already present in Active Directory, the Add enrollment feature will not work.
Troubleshooting Add Enrollment

If the Add Enrollment button is inaccessible, administrators should check the following:

  • Check that Add Enrollment is enabled in the Secure Service Desk Settings (Enrollment options).
  • Check that the Mobile Code (SMS) and/or identity services are enabled.
  • Check that the settings for the Mobile Code (SMS) identity service allow adding the user's mobile number to AD.
    NOTE
    The feature will also not be available if the Update mobile number in AD setting is set to If number is missing in Active Directory and there is already a number present in AD.

Language options

The language options lets you set the preferred language for emails and sms sent from the Secure Service Desk.

    Authentication WebSecure Service Desk

  1. Go to Secure Service Desk > Settings.
  2. Open Language options.
  3. Check the box marked Use preferred language.
  4. In the language dropdown, select the language you want to use as the preferred language.
  5. Click Save

Customizing emails and texts for Manager Identification

One of the Quick Verification options is to have a user's manager identify the user. This done by sending a verification link to the user's manager by either text message or email. These messages can be customized in the Manager Identification identity service.

    Authentication WebIdentity Services

  1. Click on Identity Services in the left navigation
  2. Click on Manager Identification
  3. Select the Service Desk Comnfiguration tab at the top
  4. Enter the Subject and Body texts of the message
    NOTE
    In the Subject as well as Body fields, placeholder texts can be used. The following placeholders are available:
    • %UserDisplayName%: inserts the display name of the user who needs to be identified
    • %UserUPN%: inserts the UPN of the user from Active Directory
    • %ManagerVerificationUrl%: inserts the verification URL the manager can click to verify the user
    • %ManagerDisplayName%: inserts the manager's display name
    • %ServiceDeskUserDisplayName%: inserts the display name of the service desk agent sending the message
  5. Mark the Enabled checkbox to enable the message
    NOTE
    To (temporarily) disable the custom message, remove the checkmark from this checkbox.
  6. Click Save

Specops Secure Access

Specops Secure Access brings two-factor authentication to the Windows login screen; it requires users to authenticate with an additional identity service besides their main Windows password when they log in to their computer. This provides an extra layer of security. Secure Access is designed to increase security with minimal impact on users. The authentication process is flexible in that users can choose themselves which additional identity service they wish to use as a second factor.

Currently, the following identity services can be configured with Secure Access:

Configuring a Secure Access policy

Setting up Secure Access consists of configuring a policy that includes those identity services that your users have access to.

    Specops Authentication WebMFA for Windows

  1. In the Specops Authentication Web left navigation, go to MFA for Windows
  2. Click on the MFA for Windows tab, then click Configure for the policy.
  3. Click the plus-icon for those identity services you want to include in the policy.
  4. Click Save

Configuring an NPS Companion policy

The Microsoft Network Policy Server (NPS) is called through the NPS Companion using RADIUS to enable two-factor authentication for remote access. Here you can configure a policy for those users.

    Specops Authentication WebMFA for Windows

  1. In the Specops Authentication Web left navigation, go to MFA for Windows
  2. Click on the NPS Companion tab, then click Configure for the policy.
  3. Click the plus-icon for those identity services you want to include in the policy.
  4. Click Save

End-user

In order to provide a backup authentication method (e.g. in cases where online access is unavailable), users need to configure an account registration entry in their authenticator app.

NOTE
If this is the first time users access Secure Access and they have not yet enrolled with Specops Authentication, they will need to enroll first.
  1. Click on the Register button.
  2. A secure browser window will open. Follow the instructions in the browser to enroll with Specops Authentication.

Setting up offline authentication registration (Initial login procedure)

NOTE
An authenticator app such as MIcrosoft Authenticator or Google Authenticator is required to set up offline authentication.
  1. Log in to your computer with your main Windows password and a second factor chosen from the list.
  2. The Secure Access screen shows a QR-code
  3. Open your authenticator app and create a new entry.
  4. Scan the QR-code from within the authenticator app.
  5. Enter the code generated by the authenticator app.
  6. Click OK.

Subsequent logins require the user to log in with their main Windows password and a second factor of their choosing.

Offline authentication

In situations where users are unable to connect to the internet, Secure Access can still be used by using the user's authenticator app as a second factor (see above, previous section on initial login).

In cases where the user's computer is offline, they will be presented with the following:

  1. Log in to your computer with your main Windows password.
  2. The Secure Access screen will indicate a Server connection error.
  3. Click the Offline Code button.
  4. Open your authenticator app and find the MFA account registration entry.
  5. Enter the code from your authenticator app.
  6. Click OK.