Authentication Web

The Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources.

Once you have installed and configured the Gatekeeper, users that are members of the Authentication Admin Group can further configure the solution from the Authentication Web :

https://login.specopssoft.com/authentication/admin (US datacenter)

https://eu.login.specopssoft.com/authentication/admin (EU datacenter)

Gatekeepers


From the Gatekeepers menu, you can see a list of your Gatekeepers, and their connection status. For redundancy, set up and configure additional Gatekeepers.

Creating and installing a new Gatekeeper

    Specops Authentication WebGatekeeper

  1. Login to the Specops Authentication Web .
  2. Click Gatekeepers.
  3. Click New.
  4. Click Download on Default self-extracting installation package.
    NOTE
    Take note of the activation code displayed on screen as you will be prompted for it during installation.
  5. Run the installation file.
  6. Complete the installation steps.
  7. Go back to the Gatekeepers page in Specops Authentication Web, and ensure that the Gatekeeper priority is as needed.

Unregistering Gatekeepers

Clicking on a Gatekeeper in the list will bring you to the details page for that Gatekeeper. Here you can also unregister the Gatekeeper in question. However, it is recommended to unregister any Gatekeepers from the Gatekeeper Admin Tool. For more information on how to unregister Gatekeepers, please refer to the Managing offline Gatekeepers section on the Gatekeeper Admin Tool page.


From the menu, you can:

  • View a list of existing Cloud accounts
  • Add new Cloud accounts
  • Delete Cloud accounts
  • Generate an enrollment URL for a new Cloud account

Viewing existing Cloud accounts

You can view a list of existing cloud accounts. You can also view additional details, such as: the account name, mobile phone number, the last time the password was changed, and the enrollment session expiry date if the user has a pending enrollment.

Adding a new Cloud account

To add a new Cloud account, you must be signed in with a Cloud account, or an Active Directory user account in the User Admin Group.

    Authentication Web

  1. Click .
  2. In the field, enter the account name (UPN) of the user account. For example: username@domain.com
  3. The Full cloud account name (upn) field is read-only. The full Cloud account name is automatically generated from the account name (UPN) specified in the field.
  4. Click Save.

Generating an enrollment session URL for a Cloud account

You can generate an enrollment session URL for a Cloud account in the Cloud Accounts menu. An enrollment session URL enables a Cloud account to enroll, so that they can access the Admin pages in Specops Authentication Web. The URL must be copied and sent via email or text message.

NOTE
An enrollment URL will expire 2 hours after it has been generated. If the URL expires before it is used, a new one must be generated.

Administrators can actively revoke the link before the expiration time ends by clicking the Revoke link at the bottom of the window.

    Authentication Web

  1. Select a Cloud account from the list.
  2. Click next to the field.
  3. When the URL has been generated, click the link, to copy it.

Deleting a Cloud account

You can delete a Cloud account in the Cloud accounts menu.

WARNING
If you are a member of the “Admin group”, you will have the ability to delete another Cloud account.

    Authentication Web

  1. Select an account from the list.
  2. Click .
  3. In the confirmation dialog box, click Delete

Policies


Specops policies are collections of multi-factor authentication rules for the basic functionality of Specops Authentication. Separate policies can be configured for different Specops Authentication applications, as well as for the administrators for authentication for Authentication Web.

Configuring a policy

To configure a policy, click Configure next to each policy to set its authentication requirements.

    Authentication WebYour product

  1. Click Configure or Edit Authentication Rules.
  2. Move any of the identity services you want to use from the Unselected Identity Services box on the right to the Selected Identity Services on the left by clicking the plus-icon next to the identity service.
  3. You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Please refer to the Identity service weight assignment page for additional guidance.
  4. To require the user to use a specific identity service, select the Required checkbox.
  5. Configure the required weight (stars) for enrollment.
  6. Configure the required weight (stars) for authentication.
    NOTE
    The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
  7. To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
  8. Click Save when you are done.

Note that policies can also be affected by the settings for Geoblocking, and Trusted Network Locations.

Removing an identity service

To remove an identity service from a policy, do the following:

    Authentication WebYour product

  1. Click Configure or Edit Authentication Rules
  2. Remove any of the identity services from your policy by clicking the minus-icon next to the identity service. The identity service will be moved to the Unselected Identity Services box on the right.

Policy configuration best practices

When configuring policies for multiple Specops applications (uReset, Authentication for O365, and Key Recovery) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.

When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.

For more information on enrollment, please refer to the Best Practices document.

Weak identity services

Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:

  • Security questions
  • Mobile Code (SMS)

Enrollment security modes

When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.

There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).

Low security
Users are only required to provide their Windows password for identification.

Medium security
Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password.

High security
Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services.

Note: users will be presented with indentity services for (re-)enrollement if the user has been previously enrolled with said service, and it is part of a policy affecting the user. The user’s Windows identity is always part of the (re-)enrollment procedure.

Note:the low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.

Auto-enrolled identity services and security modes

For medium- and high security modes, users who are affected by policies that include auto-enrolled identity services, such as Duo Security and Okta, will have to authenticate with the auto-enrolled identity service on the enrollment page. This means that users will have to have their enrollment with Duo Security or Okta in place before they can enroll with Specops Authentication .

Lockout settings

The identity services Mobile Code (SMS), Email, and can be configured to be locked out after wrong inputs by the user. To configure these lockout settings, go to the Identity Services menu in Authentication Web, and click on the settings icon next to the identity service in question. The following can be configured:

  • Lockout threshold: determines how many times wrong input can be provided.
  • Lockout duration in minutes in minutes: determines how long the identity service will be locked out for.

Trusted Network Locations setting

When this setting is enabled, users can only enroll when authenticating from one of the Trusted Network Locations specified by administrators. For more information, see Trusted Network Locations.

Identity Services


You can find a full list of available identity services under the Identity Services tab. You can enable/disable identity services all of the identity services in this list. You configure some of these identity services and manage their system-wide settings on this page.

If an identity service is configurable, you will see a Identity service cog icon next to it.

If an identity service is disabled, you will see a Identity service cross icon next to it.

If an identity service has been enabled, you will see a Identity service check icon next to it.

Examples:

  • A configurable identity service that is currently disabled.

Alt text for this image

  • A configurable identity service that is currently disabled.

Alt text for this image

Once you configure an identity service and enable it, your user will be able to enroll and authenticate with it. If you disable it, the identity service will no longer be available.

Alt text for this image

The following identity services can be configured:

  • Duo Security: Duo Security is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Duo Security mobile app. They must then enter the code to successfully authenticate. To configure Duo Security, see here.

  • SITHS eID: SITHS eID is a smart card-based authentication service, that enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves. To configure SITHS eID, see here.

  • Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. This identity service is fully configurable, meaning administrators can decide on the content of the authentication request notification and whether a manager must authenticate before they can approve an authentication request. Each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users. To configure Manager Identification, see here.

  • Mobile Code (SMS): If users choose to enroll with Mobile Code (SMS), they must enter their mobile phone number. They will then receive a one-time four-digit code via an SMS message, which must be entered in order to successfully authenticate. To configure Mobile Code (SMS), see here.
  • Freja: If users choose to enroll with Freja, they need to authenticate in the Freja app on their device. To configure Freja, see here.

  • Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully. To configure Secret Questions, see here.

  • Symantec VIP: Symantec VIP is a two-step verification service. When users authenticate, they will receive a one-time verification code on the Symantec VIP mobile app. They must then enter the code to successfully authenticate. To configure Symantec VIP, see here.
  • Email and : the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. Email does not require enrollment, since it references the email address in the email attribute in AD (or any other attribute if it is overridden); it can only be used with domains associated with Specops Authentication . has to be registered at enrollment by the user and they may use any email address of their choosing.
  • Okta: Okta is a two-step verification service. When users authenticate, they will receive a a notification in their Okta mobile app. They must then acknowledge that notification in order to verify their identity. Users can also choose to have an Okta code sent to them in a text message. To configure Okta, see here.
  • Yubikey: The Yubikey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function). For more information on Yubikey, refer to the Yubikey page.
  • Passkeys: Users can authenticate with passkeys passkeys they have already set up on their device. Passkeys are digital credentials (authenticators), tied to a user account and a website or application. Some examples of passkeys are Windows Hello, Yubikey, Bitwarden and any authentication app such as Google Authenticator.
  • Entra ID: allows Specops Authentication to integrate with Microsoft Authentication Libraries. Microsoft Authenticator can be used to authenticate with Specops Authentication without using a password.

Customization


There are a number of customization features that give you control over the Specops Authentication end–user interface, including: logos, text, and colors.

The logo at the top left of the page, both in Authentication Web and the Authentication Client, can be changed to match your requirements.

    Authentication WebCustomization

  1. In the Image tab, click Browse under Main logo and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image.

To revert to the default image, click Default.

Main logo image specifications

The following specifications apply to the main logo image:

  • Supported file types: png, gif, jpg.
  • Maximum file size: one megabyte (1 MB).
  • Transparency in png images will be rendered as expected, with the background color showing through the transparent parts.
  • Image will be rendered with a height of 40 pixels.
    • Aspect ratio of the uploaded file will always be kept intact.
    • Images with a height less than 40 pixels will be scaled up to 40 pixels. The quality of the rendered image will decrease.
    • Images with a height above 40 pixels will be scaled down to 40 pixels. Quality is not necessarily affaected.
    • For the best results, use an image width with a height of exactly 40 pixels and a width that is no greater than 300 pixels. If the image is too wide, there won’t be sufficient room to render the menu items in the header.

Changing the login image

You can also change the image on the login page that is presented to users.

    Authentication WebCustomization

  1. In the Image tab, click Browse under Login image and select the image you want to use.
  2. Click OK.
  3. Click Upload to place the image. The image will appear at the top left of the page.

To revert to the default image, click Default.

Login image specifications

The specifications for the login image are the same as for the logo (above), except for the size. The login image has a maximum width of 235 pixels. Images less than 235 px wide will be scaled up (which will decrease the quality of the image), and images more than 235 px wide will be scaled down. The aspect ratio of the original image will always be kept in the rendered image.

Changing the colors

Various colors in the interface can be change to match your comapny’s look and feel. The colors that can be changed are:

  • Page background (page’s main content area)
  • Menu background (top and side navigation)
  • Sign-in background (login page)
  • Default button (primary buttons)
  • Secondary button (buttons such as Cancel etc.)
  • Information box background (textboxes with additional information)

To change the color:

    Authentication WebCustomization

  1. In the Style tab, select the checkbox in the Customized column next to the color you want to change.
  2. Select the color you want to use:
    • Click the color-picker icon in the Pick color column and select the color you want, then click OK OR
    • Enter the HTML color code (hexadecimal color code) in the text field.

To revert a particular item to its default color, uncheck the Customized checkbox for that item and click Save

To revert to the default color for all elements, click Default.

Changing the texts

Various texts that are presented to the user in messages and notifications can also be changed.

    Authentication WebCustomization

  1. In the Text tab, select the language you want to make changes to by clicking the tab for that language.
  2. Click the text element you want to change, for example Satisfied, header.
  3. Select Use custom.
  4. Enter the text you want to use in the Custom text field and click Save. The Customized column in the list will now show a checkmark at the text element you changed, while the Current value shows the new text.

To revert to the default text, click the text element, and select Use original, then Save. This will delete the custom text. Note that only deleting the custom text will not revert the text element to the default state (instead, the text field will then be blank).

Changing the names of identity services

The names of some identity services can be changed to better reflect the way in which they are used in your organization. The identity service names that can be changed are:

  • Email (IdService_PrimaryEmail)
  • Manager Identification (IdService_ManagerIdentification)
  • Mobile Code (IdService_MobileCode)
  • Personal Email (IdService_AlternateEmail)
  • Secret Questions (IdService_QAndA)
  • Windows Identity (IdService_WindowsIdentity)

Identity service names are changed in the same way as other texts, in the Texts table.

Enrollment

Text element Description Default text
Satisfied, header When a user has enrolled with enough identity services to meet the weight requirements, they are sent to a page telling them so and are given the option to continue or end the enrollment process. This is the header on that page. All done!
Satisfied, message When a user has enrolled with enough identity services to meet the weight requirements, they are sent to a page telling them so and are given the option to continue or end the enrollment process. This is the information text on that page. You have collected enough stars for your enrollment. Feel free to improve your enrollment information by collecting more stars.
Change Registrations, message This text is displayed on the page where the user selects identity services during the enrollment process. Specifically, this text is used when the user has opted to make changes to an already complete enrollment. Add or change identity services from the lists below. Make sure your star bar is still full after the changes.
Instructions This text is displayed on the page where the user selects identity services during the enrollment process. Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Reminder, header This is the header that will be displayed on the first page of the enrollment wizard, before the user needs to enter their password. Enrollment Reminder
Reminder, message This text will be displayed on the first page of the enrollment wizard, before the user needs to enter their password. You are required to enroll for the Password Reset service. Press the button below to start the enrollment wizard.
Finished, message This is displayed on the final page of the enrollment process after the user has enrolled with all available identity services or they have selected the "I'm done" option" and not "Collect more stars". You have completed the enrollment, you can now close this browser and move on with your day.
Already enrolled, header Already enrolled, header Enrolled
Already enrolled, message You are already enrolled! If you want to, you can enroll with additional identity services or make changes to the identity services you are enrolled with.

Mfa

Text element Description Default text
Select Identity Service, message This text is displayed on the page where the user selects identity services during the login process. Use the identity services below to identify yourself until you have collected enough stars to fill the star bar.
Cannot enroll because no policy, header This title is displayed when a user who does not have a policy configured tries to sign in. You cannot enroll for this service
Cannot enroll because no policy, message This message is displayed when a user who does not have a policy configured tries to sign in. No policy has been configured for you for this service.
Enrollment Missing, header This header is displayed when a user is not enrolled for uReset and tries to reset their password. Enrollment missing
Cannot Reset Password, not enrolled with uReset This text is displayed when a user is not enrolled for uReset and tries to reset their password. You cannot reset your password because you have not enrolled for the reset password service.
Cannot Sign in from Untrusted IP This text is displayed to an end user when they are trying to sign in but are disallowed due to not connecting from a trusted network location. You cannot sign in to the {0} resource because you are not connecting from a Trusted Network Location.

Service Desk

Text element Description Default text
Search Users This text is displayed on the {0} start page. Use the search box to find users. You can search by account names, email addresses or users' real names.
Advanced Verification default text message body During advanced verification, a Service Desk agent can send a text message to the user containing a verification link. The message's default text is determined by this text message template. It can be changed by the Service Desk agent before sending. Verify your identity here {url}
Advanced Verification default email subject During advanced verification, a Service Desk agent can send an email to the user containing a verification link. The email's default text is determined by this email subject template. It can be changed by the Service Desk agent before sending. Verify your identity
Advanced Verification default email body During advanced verification, a Service Desk agent can send an email to the user containing a verification link. The email's default text is determined by this email body template. It can be changed by the Service Desk agent before sending. Use this link to verify your identity {url}
RSA SecurID token verification instructions Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. Enter a code from the {0} app.
RSA SecurID code verification instructions Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. Enter a code from the {0} app.
Password Reset - User Notification Message Body <p>Describes the text message body for the user password reset notification. This text should specify the message body details.</p> {password} will be replaced with the new user password - this placeholder is required.<br/> {upn} will be replaced with the user upn - this placeholder is not required.<br/> {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. Your new password is: {password}
Password Reset - Manager/Custom Notification Message Body <p>Describes the message body for the manager password reset notification. This text should specify the message body details.</p> {password} will be replaced with the new user password - this placeholder is required.<br/> {upn} will be replaced with the user upn - this placeholder is not required.<br/> {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. The new password for {upn} is: {password}
Password Reset - User Notification Sms Body <p>Describes the message body for the user password reset notification. </p> {password} will be replaced with the new user password - this placeholder is required.<br/> {upn} will be replaced with the user upn - this placeholder is not required.<br/> {changepasswordlink} will be replaced with the password reset link - this placeholder is not required. New password: {password}

Password change/reset

Text element Description Default text
Password Change - Success, message This text is displayed when the user is done with a password reset or a password change. Your password has been changed! If you are using a Windows computer, it is recommended to sign out and sign in again with your new password. Also, don't forget to update to your new password in for example the email app on your phone, if necessary.
Password Change - Success, message for Secure Browser This text is displayed when the user is done with a password reset or password change that started from the Windows identity password view. Your password has been changed! Don't forget to update to your new password in for example the email app on your phone, if necessary.
Password Change/Reset - Instructions, message This text is displayed above the password rules when a user is about to perform a password change or password reset.
Password Change/Reset - Instructions, message on mobile This text is displayed on small devices where the user clicks to expand the password instructions, above the password rules when a user is about to perform a password change or password reset. Show instructions
Password selection page - Instructions This text is displayed on the password start page where the user can select between a password change and a password reset. Need to change your password? If you know your current password, you can sign in with that in order to change it. If you have forgotten your password, you can use the second option to sign in and then reset your password.
Password selection page - Title This text is displayed on the password start page. This is the section title. New password
Password selection page - Change password button This button is displayed on the password start page. This button initiates a password change when the password is known. I know my password
Password selection page - Reset password button This button is displayed on the password start page. This button initiates a password change when the password is not known. I forgot my password

Other

Text element Description Default text
Username label on username page This text is displayed when a user enters their username during sign-in. Username
Username label on password page This text is displayed when a user enters their username during sign-in. Username
RSA SecurID token verification instructions Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. Enter a code from the {0} app.
RSA SecurID code verification instructions Describes how the users handle token verification with their RSA SecurID devices. This text should specify if the verification requires token and/or PIN. {0} will be replaced with 'RSA SecurID' but adding this placeholder is not required. Enter a code from the {0} app.
Unlock selection page - Instructions This text is displayed on the unlock start page where the user can unlock their account if the password is known. If you know your current password, but the account is locked out, you can unlock it to be able to sign in.
Unlock selection page - Title This text is displayed on the unlock start page. This is the section title. Unlock account

Identity Service

Text element Description Default text
Display name for Windows Identity This text will replace the display name for the Windows Identity identity service where the identity service is used. Windows Identity
Display name for Mobile Code This text will replace the display name for the Mobile Code identity service where the identity service is used. Mobile Code
Display name for Email This text will replace the display name for the Email identity service where the identity service is used. Email
Display name for PersonalEmail This text will replace the display name for the Personal Email identity service where the identity service is used. Personal Email
Display name for Manager Identification This text will replace the display name for the Manager Identification identity service where the identity service is used. Manager Identification
Display name for Secret Questions This text will replace the display name for the Secret Questions identity service where the identity service is used. Secret Questions

First Day Password

First Day Password
Text element Description Default text
Onboarding start page title Title for the Onboarding landing page Setting a password
Onboarding start page description Description on the Onboarding landing page It is time to select your first password. On the next page you will see a list of rules and restrictions for how a password can be constructed. Once you are happy with your password, you will need to repeat it in the second box.
Invalid Onboarding URL message Information to end user when the link has expired or is invalid This link for setting your password has expired or is invalid, contact your admin for help.
Not eligible for onboarding Error message when a user is not eligible for onboarding after signing in You are not currently eligible for the onboarding process.
Onboarding set initial password information Optional information displayed to the user on top of the reset page when setting their first password.
Onboarding completed message This text is displayed when the onboarding user is done with password setup. Your Windows password has now been set.

Setting a fallback language

The fallback language allows administrators to designate secondary customized language strings in case no customized strings exist in the language the end user has set as their interface language. This means that administrators can make sure the correct text is always presented to the user.

    Authentication WebCustomization

  1. In Authentication Web go to Customization > Texts
  2. Click on the tab of the language you want to set as the fallback language, and click Set as fallback language. The fallback language will be marked in bold.
    NOTE
    If a language has been set as the fallback language, the button will allow you to disable the fallback language, otherwise it will allow you to set it.

The order in which text strings are shown to the user is as follows:

    Authentication WebCustomization

  1. Customized value for the user’s current language.
  2. Customized value for the fallback language (if no customized value exists for the current language).
  3. Default text for the current language (if there are no customized values for either the current language or the fallback language).

This feature can be used to make sure that important custom message are always displayed to users, even when not all available languages have been updated with the same custom message. Example: if you have a custom message for the Enroll Completed message (Enroll_Completed_Message) in French, you can set English as the fallback language and make sure that the Enroll_Complete_Message string in English also has a customized value. If a user has their language set to anthing other than French or English, they will still see the English message, even if there is no customized text for their current language.

Reporting


The Reporting menu contains several helpful reports. Browse through the available tabs to view the reports.

  • Usage: From the Usage tab you can view completed enrollments, completed authentications, as well as text message activity (such as notifications, or Mobile Code (SMS) usage).
  • Auditing: From the Auditing tab you can track event changes in uReset. Click Get Events for a complete list of events. Alternatively, filter by resource, or date. The results will be displayed, and you can click on each event for more details.
  • System Events: From the System Events tab you can view the log operations performed by uReset. The displayed information, warnings, and errors, are intended for administrators who are responsible for troubleshooting the system. Click Find without any filtering information for a complete list of activities. Alternatively, filter the activities by type, severity, dates, user, event name, and activity id. The results will be displayed. You can click on each event for more details, including troubleshooting information.
  • Not Enrolled Users: From the Not Enrolled Users tab you can track enrollment progress by generating and exporting reports related to user enrollments.

Subscriptions


You can see the status of your uReset subscription, including enabled features and identity services from the Subscriptions tab. You can also see usage statistics including completed authentication by month, and all time.


From the menu, you can add multiple domains to your Specops Authentication organization account, manage CAPTCHA settings, and manage your custom email settings.

Domains

To add multiple domains to your uReset organization account.

    Authentication Web

  1. Select in Authentication Web.
  2. In the tab, click Add new.
  3. Enter the domain name in the field, and click Save.

You can designate domains associated with your account as verified to ensure an extra level of security. You can read more about Domain Verification here.

Domain Name Protection ensures that your Specops Authentication account cannot be accessed automatically using your registered domain name. You can read more about Domain Name Protection here.

Preferred Domain

When you have multiple domains registered, you can designate one of them to be the preferred domain. This will then be the domain shown in all URLs associated with Specops Authentication after the ?domain= parameter (Admin pages, enrollment, etc.).

Setting the preferred domain

    Authentication Web

  1. Select in Authentication Web
  2. In the list, click Edit for the domain you want to set as the preferred domain.
  3. Select the checkbox.
  4. Click Save

CAPTCHA

In this tab you can configure the settings to dynamically display a CAPTCHA. CAPTCHA is used to prevent scripted username harvesting. This setting will protect the endpoints where a user enters their username. If CAPTCHA is enabled, any suspicious attempts at accessing the endpoints will prompt the user with a CAPTCHA challenge. The Google reCAPTCHA technology is used. It is recommended to enable CAPTCHA.

You can set CAPTCHA to one of the following:

  • Disable Captcha: disables CAPTCHA entirely.
  • Enabled Captcha for requests from untrusted network locations: when Trusted Network Locations is enabled, this option will enable CAPTCHA only for users connecting from IP addresses outside of your trusted network locations.
  • Enable Captcha always: this enables Captcha for all users.

CAPTCHA for ADAL browsers

The ADAL browser is a custom browser from Microsoft that is used to perform a delegated authentication from, for example Microsoft Outlook or Microsoft Word. These browsers are not fully compatible with Google reCAPTHA and the end user may be presented with many CAPTCHA challenges in succession. To prevent users from being presented with multiple CAPTCHA challenges, you can check the the CAPTCHA Enabled in ADAL browsers checkbox.

NOTE
If SMTP settings have been configured in the Gatekeeper Admin Tool to use your own SMTP provider instead of the Specops Default Configuration (which uses third-party providers, such as SendGrid), this section will be disabled. In order to use the Default Configuration and configure the email settings here, log in to the Gatekeeper Admin Tool, go to Email configuration, click Edit, and change the dropdown to Specops Default Configuration. Then click OK twice.

If you would like to have enrollment-, authentication-, and user identity verification emails sent from a custom email address, you can configure this here.

NOTE
Setting this email address will not change your notification settings (e.g. for Specops uReset notifications).

    Authentication Web

  1. Click on the tab
  2. Click on the current email to enter the Email settings
  3. Set the , the , and select the domain from the dropdown.
    NOTE
    Only your verified domains and any additional domains you have registered will appear in the dropdown. For more information on email notifications from SA, see this knowledge base article.
  4. Click Save
  5. NOTE
    Clicking Reset to System Default will revert the email settings back to the default email address set by Specops (from specopssoft.com). This will delete the current email setting.

Configuring DKIM Records for email

DomainKeys Identified Mail (DKIM) is an authentication standard used to prevent email spoofing. Specifically, DKIM attempts to prevent the spoofing of a domain that's used to deliver email.

DKIM employs the concept of a domain owner who controls the DNS records for a domain. When sending email with DKIM enabled, the sending server signs the messages with a private key. A domain owner also adds a DKIM record, which is a modified TXT record, to the DNS records on sending domain. This TXT record will contain a public key that's used by receiving mail servers to verify a message's signature.

  1. Send a request for DKIM to Product Support (you can use this form).
  2. Product Support generates a DKIM record, which is sent to you.
  3. Add the DKIM record to your DNS record.
  4. Once added, Product Support can verify the existence of the record.

The tab displays information on account creation date and the date the terms of service were accepted.

Accounts can be deleted by contacting Specops.

User Counting


You can refresh the enrollment statistics, found on the Reporting page, by starting a new user count. By default, the nightly user count will be performed at 4:00 AM UTC.

The last count statistics can also be found on the page.

Configuring user counting time

Here you can configure at what time user counting will run on the Gatekeeper.

    Authentication WebReporting

  1. Set the time you want user counting to run.
    NOTE
    Time is set in Coordinated Universal Time (UTC).
  2. Mark the checkbox Send enrollment reminders when the counting is complete in order to send enrollment reminders to users whenever user counting is run.
  3. Click Save Settings.

Manually initiate user counting

User counting can be started at any time by clicking the Start Counting button.

Secure Service Desk


The Secure Service Desk provides all the tools necessary for your service desk agents to help users calling in with authentication problems. Agents can help users reset their passwords or unlock their computers (if encrypted with Bitlocker or Symantec) in a secure and easy to use environment. The Service Desk also holds user information and statistics.

NOTE
Note on phone numbers in Active Directory

Important: in order for text messaging to function correctly in the Service Desk, the mobile phone number registered in Active Directory has to follow the E.164 numbering plan format. This means that mobile phone numbers have to have the following format: +[country_code][subscriber_number_omitting_first_zero]. For example, for the Swedish (country code 46) phone number 073-3123456, the number in AD should be +46733123456; for the US (country code 1) phone number 415 555 2671, the format in AD should be +14155552671.

Note that registering phone numbers in Active Directory using any other format will result in the service desk agent being unable to send text messages to the user in question.

Configuring a policy for access to the Secure Service Desk

For added security, you can configure multi-factor authentication policies for users (typically service desk agents) accessing the service desk.

    Authentication WebService Desk

  1. Click on Service Desk in the left navigation.
  2. Click on the Configure button to configure the policy.
  3. Configure the policy, then click Save.

Configuring settings for Secure Service Desk

On the Settings page you can configure the following:

  • Identity verification
  • Verification override URL
  • Password reset options
  • User privacy options
  • Key Recovery options
  • Enrollment options

Identity verification

Force identity verification

If this setting is enabled, the user’s password cannot be reset, nor can their computer be unlocked by the service desk, until the user's identity has been verified by having them authenticate with any of the identity services they have previously enrolled with.

    Authentication WebService Desk

  1. Click on Service Desk in the left navigation.
  2. Click on the Settings button to configure the settings.
  3. Click on the ´Identity Verification section.
  4. Check the Enforce identity verification checkbox, and click Save.
Configure enabled verification methods

By default, all available (and future) verification methods are enabled in Service Desk. If you want to control which verification methods can be used in Service Desk, you can do that here.

NOTE
Remember that when this setting is enabled, newly introduced verification methods must be enabled through these settings before they can be used in the Service Desk.

    Authentication WebService Desk

  1. Click on Service Desk in the left navigation.
  2. Click on the Settings button to configure the settings.
  3. Click on the Identity Verification section.
  4. Click on the Configure enabled verification methods button.
  5. Check the Use only explicitly enabled verification methods checkbox.
  6. Enable or disable the verification methods of your choice by clicking their status button.

Verification override URL

Here you can enter a verification override URL which will be shown to a Service Desk agent when the verification URL can't be sent to the user directly. The service desk agent can then read the URL to the user. For more information on this feature and its set-up, see the Override URL page.

Password reset options

The following options can be enabled in the password reset settings:

  • Force users to change password after reset
    If this option is enabled, Service Desk agents cannot input passwords manually for resets. The new password will be sent to the user in an email or text message.
  • Allow manual password override (to override system-generated passwords if the System-generated passwords option has been enabled)
  • Allow only system-generated passwords (to enable the generation of passwords by the system; the Service Desk agent will not be able to read the generated password)
  • Notifications (see the Enabling additional notification methods section below)
Enabling additional notification methods

This section allows for configuring the notification possibilities for the service desk agent. In addition to the user's email and mobile phone, several additional notification methods can be enabled. This is especially helpful if the user's email and mobile number have not been configured in Active Directory. The following settings can be enabled:

  • Enable sending new passwords through email or text message: when this option is checked, the email and text notification methods are available to the service desk agent (provided that the attributes for the user are configured correctly in Active Directory)
  • To custom email: allows sending notification emails to email addresses other than those registered in Active Directory.
  • To manager: allows sending notifications to the user's manager (email and text message, if correctly configured in Active Directory)

    Authentication WebService Desk

  1. Select Service Desk in the left navigation.
  2. Click the Settings tab.
  3. Expand Password reset options.
  4. Check Enable sending new passwords to managers to enable sending to a manager.
  5. Check Enable sending new passwords to custom email addresses to enable sending to custom emails.
    This option is not available if the System-generated passwords option has been enabled. This is a security precaution to avoid having the Service Desk agent be able to read the generated password.
  6. Click Save

User privacy options

These options can be used to restrict service desk agents' access to certain user information. The following options are available:

  • Part of number: enables showing, hiding or only showing part of the user's phone number for the service desk agent.
  • Show/Hide (email): enables showing or hiding the user's email address for the service desk agent.
Hiding a user's phone number and/or email address

    Authentication WebService Desk

  1. Select Service Desk in the left navigation.
  2. Click the Settings tab.
  3. Expand User privacy options options.
  4. Set the first drop-down to Hide to hide the user's phone number from the service desk agent's view. Note that it is also possible to show part of the telephone number to the service desk agent.
  5. Set the second drop-down to Hide to hide the user's email from the service desk agent's view.
  6. Click Save

Key Recovery options

This section allows you to configure additional notifications for key recovery operations:

  • Enable sending the Recovery Key to managers: allows sending the Recovery Key to the user's manager if configured correctly in Active Directory.
  • Enable sending the Recovery Key to custom email addresses: allows sending the Recovery Key to emails other than those associated with the user in Active Directory. The custom emails are required to be in the registered domains.

Enrollment options

Here you can configure whether or not service desk agents can enroll users for certain identity services without user intervention. This feature can only be used when the user has been verified. For more information on this feature, please see the Enrollment section.

Configuring Add Enrollment

    Authentication WebService Desk

  1. Go to Secure Service Desk > Settings
  2. Open Enrollment options
  3. Check the option Allow Service Desk agent to enroll users
  4. Make sure the identity services are configured correctly to allow adding enrollments.
    NOTE
    The setting Update mobile number in AD needs to be set to one of the following:
    • Always
    • If number is missing in Active Directory
    • Store in user subobject (encrypted)
    Note also that if the setting is set to If number is missing in Active Directory and the number is already present in Active Directory, the Add enrollment feature will not work.
Troubleshooting Add Enrollment

If the Add Enrollment button is inaccessible, administrators should check the following:

  • Check that Add Enrollment is enabled in the Secure Service Desk Settings (Enrollment options).
  • Check that the Mobile Code (SMS) and/or identity services are enabled.
  • Check that the settings for the Mobile Code (SMS) identity service allow adding the user's mobile number to AD.
    NOTE
    The feature will also not be available if the Update mobile number in AD setting is set to If number is missing in Active Directory and there is already a number present in AD.

Language options

The language options lets you set the preferred language for emails and sms sent from the Secure Service Desk.

    Authentication WebSecure Service Desk

  1. Go to Secure Service Desk > Settings.
  2. Open Language options.
  3. Check the box marked Use preferred language.
  4. In the language dropdown, select the language you want to use as the preferred language.
  5. Click Save

Customizing emails and texts for Manager Identification

One of the Quick Verification options is to have a user's manager identify the user. This done by sending a verification link to the user's manager by either text message or email. These messages can be customized in the Manager Identification identity service.

    Authentication WebIdentity Services

  1. Click on Identity Services in the left navigation
  2. Click on Manager Identification
  3. Select the Service Desk Comnfiguration tab at the top
  4. Enter the Subject and Body texts of the message
    NOTE
    In the Subject as well as Body fields, placeholder texts can be used. The following placeholders are available:
    • %UserDisplayName%: inserts the display name of the user who needs to be identified
    • %UserUPN%: inserts the UPN of the user from Active Directory
    • %ManagerVerificationUrl%: inserts the verification URL the manager can click to verify the user
    • %ManagerDisplayName%: inserts the manager's display name
    • %ServiceDeskUserDisplayName%: inserts the display name of the service desk agent sending the message
  5. Mark the Enabled checkbox to enable the message
    NOTE
    To (temporarily) disable the custom message, remove the checkmark from this checkbox.
  6. Click Save