Specops Authentication Web

The Specops Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources. Once you have installed and configured the Gatekeeper, users that are members of the Authentication Admin Group can further configure the solution from the Specops Authentication Web:

US datacenter: https://login.specopssoft.com/authentication/admin
EU datacenter: https://eu.login.specopssoft.com/authentication/admin

For more information and general administration, refer to Specops Authentication Web.

The configuration steps that are specific for Specops Secure Service Desk are described below.

Note

Note on phone numbers in Active Directory

Important: in order for text messaging to function correctly in the Service Desk, the mobile phone number registered in Active Directory has to follow the E.164 numbering plan format. This means that mobile phone numbers have to have the following format: +[country_code][subscriber_number_omitting_first_zero]. For example, for the Swedish (country code 46) phone number 073-3123456, the number in AD should be +46733123456; for the US (country code 1) phone number 415 555 2671, the format in AD should be +14155552671.

Note: registering phone numbers in Active Directory using any other format will result in the Specops Service Desk Agent being unable to send text messages to the user in question.

Secure Service Desk agent roles

There are two distinct types of Secure Service Desk agents: Specops Service Desk Agent and Specops Service Desk User Verifier. These two types of agents each have a different set of permissions:

Specops Service Desk Agent has permissions to perform all actions in the Secure Service Desk.

Specops Service Desk User Verifier can perform the following actions:

Verify Identity (both Quick and Advanced verification)
View user Enrollments
Send Enrollment links to users

Configuring a Policy for Access to the Secure Service Desk

For added security, you can configure multi-factor authentication policies for users (typically Specops Service Desk Agents) accessing the service desk.

Login to the Specops Authentication Web and click on Service Desk in the left navigation.
Click on Configure to configure the policy.
Click the plus-icon for those identity services you want to include in the policy.
Click Save.

Configuring Settings for Secure Service Desk

On the Settings page you can configure the following:

Identity verification
Verification override URL
Password reset options
User privacy options
Key Recovery options
Enrollment options

Identity Verification

Force Identity Verification

If this setting is enabled, the user’s password cannot be reset, nor can their computer be unlocked by the service desk, until the user's identity has been verified by having them authenticate with any of the identity services they have previously enrolled with.

Click on Service Desk in the left navigation.
Click on the Settings button to configure the settings.
Click on the Identity Verification section.
Check the Enforce identity verification checkbox, and click Save.

Note

When users have RSA hardware tokens with PIN, RSA will be the required advanced verification option.

Configure Enabled Verification Methods

By default, all available (and future) verification methods are enabled in Service Desk. If you want to control which verification methods can be used in Service Desk, you can do that here.

Note

Remember that when this setting is enabled, newly introduced verification methods must be enabled through these settings before they can be used in the Service Desk.

Click on Service Desk in the left navigation.
Click on the Settings button to configure the settings.
Click on the Identity Verification section.
Click on the Configure enabled verification methods button.
Check the Use only explicitly enabled verification methods checkbox.
Enable or disable the verification methods of your choice by clicking their status button.

Verification Override URL

Here you can enter a verification override URL which will be shown to a Service Desk agent when the verification URL can't be sent to the user directly. The service desk agent can then read the URL to the user. For more information on this feature and its set-up, see the Override URL page.

Password Reset Options

The following options can be enabled in the password reset settings:

Force users to change password after reset

Note

If this option is enabled, Service Desk agents cannot input passwords manually for resets. The new password will be sent to the user in an email or text message.
Allow manual password override (to override system-generated passwords if the System-generated passwords option has been enabled)
Allow only system-generated passwords (to enable the generation of passwords by the system; the Specops Service Desk Agent will not be able to read the generated password)
Notifications (see the Enabling additional notification methods section below)

Enabling Additional Notification Methods

This section allows for configuring the notification possibilities for the Specops Service Desk Agent. In addition to the user's email and mobile phone, several additional notification methods can be enabled. This is especially helpful if the user's email and mobile number have not been configured in Active Directory. The following settings can be enabled:

Enable sending new passwords through email or text message: when this option is checked, the email and text notification methods are available to the Specops Service Desk Agent (provided that the attributes for the user are configured correctly in Active Directory)
To custom email: allows sending notification emails to email addresses other than those registered in Active Directory.
To manager: allows sending notifications to the user's manager (email and text message, if correctly configured in Active Directory)
Select Service Desk in the left navigation.
Click the Settings tab.
Expand Password reset options.
Check Enable sending new passwords to managers to enable sending to a manager.
Check Enable sending new passwords to custom email addresses to enable sending to custom emails.

Note

This option is not available if the System-generated passwords option has been enabled. This is a security precaution to avoid having the Specops Service Desk Agent be able to read the generated password.
Click Save

User Privacy Options

These options can be used to restrict Specops Service Desk Agents' access to certain user information. The following options are available:

Part of number: enables showing, hiding or only showing part of the user's phone number for the Specops Service Desk Agent.
Show/Hide (email): enables showing or hiding the user's email address for the service desk agent.

Hiding a User's Phone Number and/or Email Address

Select Service Desk in the left navigation.
Click the Settings tab.
Expand User privacy options options.
Set the first drop-down to Hide to hide the user's phone number from the service desk agent's view. Note that it is also possible to show part of the telephone number to the service desk agent.
Set the second drop-down to Hide to hide the user's email from the service desk agent's view.
Click Save

Key Recovery Options

This section allows you to configure additional notifications for key recovery operations:

Enable sending the Recovery Key to managers: allows sending the Recovery Key to the user's manager if configured correctly in Active Directory.
Enable sending the Recovery Key to custom email addresses: allows sending the Recovery Key to emails other than those associated with the user in Active Directory. The custom emails are required to be in the registered domains.

Enrollment Options

Here you can configure whether or not Specops Service Desk Agents can enroll users for certain identity services without user intervention. This feature can only be used when the user has been verified. For more information on this feature, please see the Enrollment section on the Customization page.

Configuring Add Enrollment

Go to Secure Service Desk > Settings
Open Enrollment options
Check the option Allow Service Desk agent to enroll users
Make sure the identity services are configured correctly to allow adding enrollments.
Note

The setting Update mobile number in AD needs to be set to one of the following:
- Always
- If number is missing in Active Directory
- Store in user subobject (encrypted)
Note also that if the setting is set to If number is missing in Active Directory and the number is already present in Active Directory, the Add enrollment feature will not work.

Troubleshooting Add Enrollment

If the Add Enrollment button is inaccessible, administrators should check the following:

Check that Add Enrollment is enabled in the Secure Service Desk Settings (Enrollment options).
Check that the Mobile Code (SMS) and/or Personal Email identity services are enabled.
Check that the settings for the Mobile Code (SMS) identity service allow adding the user's mobile number to AD.

Note

The feature will also not be available if the Update mobile number in AD setting is set to If number is missing in Active Directory and there is already a number present in AD.

Language Options

The language options lets you set the preferred language for emails and sms sent from the Secure Service Desk.

Go to Secure Service Desk > Settings.
Open Language options.
Check the box marked Use preferred language.
In the language dropdown, select the language you want to use as the preferred language.
Click Save

Customizing Emails and Texts for Manager Identification

One of the Quick Verification options is to have a user's manager identify the user. This done by sending a verification link to the user's manager by either text message or email. These messages can be customized in the Manager Identification identity service.

Click on Identity Services in the left navigation
Click on Manager Identification
Select the Service Desk Configuration tab at the top
Enter the Subject and Body texts of the message
Note

In the Subject as well as Body fields, placeholder texts can be used. The following placeholders are available:
- %UserDisplayName%: inserts the display name of the user who needs to be identified
- %UserUPN%: inserts the UPN of the user from Active Directory
- %ManagerVerificationUrl%: inserts the verification URL the manager can click to verify the user
- %ManagerDisplayName%: inserts the manager's display name
- %ServiceDeskUserDisplayName%: inserts the display name of the service desk agent sending the message
Mark the Enabled checkbox to enable the message

Note

To (temporarily) disable the custom message, remove the checkmark from this checkbox.
Click Save