Gatekeeper Admin Tool

The Gatekeeper Admin Tool provides an overview of the installed components and can be used to manage the system wide configuration settings created during installation.

Gatekeeper

The following settings can be configured from the Gatekeeper tab.

Upgrade Gatekeeper Admin Tool

For more information on upgrading to the latest version of Specops Authentication, click here.

View certificates

The certificates for both the Gatekeeper Client and the Gatekeeper BAckend Authentication can be accessed by clicking on the View link.

Change proxy settings

If your organization is using a forward proxy server to route internet traffic externally, you will need to configure the proxy server to allow the Gatekeeper to reach the internet. Click Edit on the Proxy row and specify the address as a complete URL, including the protocol and any custom port.

Change Gatekeepers

If you have multiple Gatekeepers, you can switch between them:

  1. Click Change on the top left.
  2. In the Select Gatekeeper window, highlight the Gatekeeper you want to switch to.
  3. Click OK.

General commands

In the top right of this tab there is a box with general commands. These include the following:

  • Refresh: refreshes the information in the tab.
  • Check for new admin tool version: checks if the admin tool needs to be updated.
  • Migrate from SPR: opens the migration wizard for migrating Specops Password Reset data.
  • Clear caches on all Gatekeepers: clears all caches on the Gatekeepers.

Managing offline Gatekeepers

In order to correctly resolve all available Gatekeepers, any offline (unused) Gatekeepers need to be disposed of correctly. The recommended way to do this is via the Gatekeeper Admin Tool.

Unregistering Gatekeepers (recommended)

  1. In the Gatekeeper Admin Tool, make sure you have accessed the Gatekeeper you want to unregister (for information on changing to other Gatekeepers, see the Change Gatekeeper section above.
  2. Click Unregister in the top right of the Gatekeeper Installation field.
  3. Confirm that you want to unregister this Gatekeeper by clicking Yes in the Unregister Gatekeeper window.

Manually removing gatekeepers

If, for any reason, the offline (unused) Gatekeeper was not unregistered using the abovementioned method (e.g. because the server it was installed on is no longer present for some reason), additional manual steps need to be taken.

NOTE
If an unused Gatekeeper has not been unregistered in the Gatekeeper Admin Tool, the remaining files will need to be removed manually in order for Gatekeeper to be resolved correctly.
  1. Remove the Gatekeeper from the cloud
    1. Access Authentication Web and click on Gatekeepers.
    2. Highlight the Gatekeeper you want to unregister in the list.
    3. Click Unregister Gatekeeper
      NOTE
      This unregister process is not the same as the one performed by the Gatekeeper Admin Tool. The unregister process initiated from the Gatekeeper Admin Tool will perform all necessary steps to dispose of the unused Gatekeeper, and does not require any manual steps.
    4. In the confirmation window, click Unregister.
  2. Remove the Service Connection Point (SCP) from Active Directory.
    1. On the server where the Gatekeeper is installed, open the Active Directory Users and Computers tool.
    2. Make sure that Advanced Features is turned on (top menu View > Advanced Features).
    3. Navigate to System > Specops > SpecopsAuthentication > Gatekeepers.
    4. Right-click on the correct Gatekeeper and select Delete.

Active Directory Settings

The following settings can be configured from the Active Directory Settings tab.

Edit the scope of management

The Active Directory scope determines which users can use the Specops Authentication service.

  1. On the Gatekeeper Admin Tool , click Active Directory Settings.
  2. Find the row where the current Active Directory scope is displayed, and click Edit.
  3. Select the desired Active Directory scope, and click Add. Multiple locations can be selected if you want multiple scopes of management.
  4. Click OK.

Enable password resets in Specops Authentication

You can enable the uReset and Secure Service Desk features in Specops Authentication. For uReset enable end-users to address common tasks related to password management, including forgotten passwords. This feature is locked unless you have uReset as a part of your subscription. For Secure Service Desk this enables the administration of users in Secure Service Desk. This feature is locked unless you have Secure Service Desk as a part of your subscription.

  1. In the Gatekeeper Admin Tool, click Active Directory Settings.
  2. In the Active Directory Settings section, click Change in the Allow password resets row.
  3. Select one of the following options when enabling the password reset feature:
    • Standard Security Mode: All users that are members of the Specops Authentication Service Desk Agents group will be able to reset passwords for other users.
    • Delegated Security Mode: The access control for resetting passwords for other users is based on the actual security configuration (‘reset password’ permission) in Active Directory.
  4. Click OK.

Add/remove members to security groups

You can add additional members to the Admin, User admin, Gatekeepers, and Reporting Readers groups. Users that are members of the Admin group are portal administrator on the Specops Authentication Web . Users that are members of the User Admin group are able to access the user management features on the Specops Authentication Web . Users that are members of the Gatekeepers group have permission to read user information.

  1. On the Gatekeeper Admin Tool , click Active Directory Settings.
  2. Find the security group you want to edit, and click Edit members.
  3. To add a member, click Add member, and enter the name of the user or group you want to add, then click OK.
  4. To remove a member, select a member from the Group members list, and click Remove selected member, then click OK.
  5. Click OK.

Reporting Readers group

Members of the Reporting Readers security group in the Gatekeeper Admin Tool can log in to Specops Authentication Web to view reports. Unless they are also members of other security groups, they will not see any other sections in Specops Authentication Web.

Members in this group will be able to see all reports related to the account. You cannot filter which reports are visible or not.

Specify preferred Domain Controller

By default, Specops Authentication will use the closest available Domain Controller. Click Change to specify the preferred Domain Controller.

uReset

The following settings can be configured from the uReset tab.

Manage uReset GPOs

You can tag the GPOs you want to use with the Specops uReset feature on Specops Authentication . Affected users can manage password resets and changes with Specops uReset .

  1. On the Gatekeeper Admin Tool , click uReset.
  2. Click Tag GPOs, select the Group Policy Object, and click OK.

Managing end-user notifications in uReset

The notification settings affect the Specops Authentication Client, an optional component installed on workstations, which can notify users if they required to enroll in the system. The type of reminders you want your users to receive, and how often they should receive them, can be configured as well.

  1. In the Gatekeeper Admin Tool, click uReset.
  2. In the Client Notification GPOs section, find the GPO (if already configured) you want to alter and click Edit, or if no GPOs have been configured yet, click Select GPO, then in the list, mark the correct GPO and click OK.
  3. In the User status check interval section, configure how often the Specops Authentication Client check the user’s enrollment status. A user that has not enrolled with Specops Authentication will receive an enrollment reminder.
    NOTE
    If Specops Password Policy is also used, this setting also configures how often user’s password is checked for expiration.
  4. In the When to show enrollment reminder section you can configure the reminder to appear at the following events/intervals (the intervalk refers to the interval set in the previous step):
    • At logon and at each interval
    • At logon only
    • At each interval
    • Never
    NOTE
    When to show enrollment reminder does not affect the password expiration reminder.
  5. In the enrollment reminder mode settings, select one of the following options:
    • Balloon tip in the notification area: Clicking the reminder will take the user directly to the enrollment web page.
    • Start browser: The reminder opens a browser window with the enrollment web page.
    • Start unclosable fullscreen browser: The reminder opens a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.

Reset password link update

Click Update to refresh the list of useful links

Office 365

From the Office 365 tab you can tag the GPOs you want to use with Specops Authentication . Affected users can have their authentication, provisioning, and licensing settings configured from the Specops Authentication Web . Alternatively, if you want Specops Authentication to be applied to the scope selected during the Gatekeeper installation, skip this step, and select Cloud in the last step when configuring Specops Authentication with O365.

  1. On the Gatekeeper Admin Tool , click Office 365.
  2. Click Tag GPOs, select the Group Policy, and click OK.

Update useful links

Click Update to refresh the list of useful links.

Email configuration

If you do not wish to use the default Specops configuration, which uses third-party providers, such as SendGrid, to send email notifications, you can configure your own SMTP provider in this section of the Gatekeeper Admin Tool. For information on editing the default Specops configuration in Specops Authentication Web, please refer to the Specops Authentication Web page.

NOTE
Configuring the SMTP setting in the Gatekeeper Admin Tool will disable any configuration in Specops Authentication Web.

Configuring SMTP settings

SMTP settings can be configured in three ways:

  • Using the Specops Default Configuration (configured in Specops Authentication Web
  • Using SMTP with anonymous access
  • Using SMTP with basic authentication
  1. Click Edit
  2. Select which type of configuration you would like to use from the drop-down (anonymous or basic authentication)
  3. Enter the domain for the SMTP server (required field)
  4. Set the maximum number of concurrent connections the Gatekeeper will use whan sending emails.
    NOTE
    Any time changes are made in this field, all affected Gatekeepers need to be restarted.
    NOTE
    The default for the maximum number of concurrent connections is set to 10. Please consult your SMTP server documentation on how many concurrent connections are allowed.
  5. Enter the SMTP port (default is set to port 25)
  6. Use the dropdown to set whether TLS (Transport-Level Security) is to be used.
    NOTE
    Set this option to Yes if you want to enable encryption for outgoing mail. Note that enabling TLS will automatically set the SMTP port to 587.
    NOTE
    Note that a valid SSL certificate is required to use TLS when sending SMTP mails.
  7. Enter the Sender Email Address (required field) and Sender Display Name
  8. For Basic Authentication only: enter the SMTP username and password
  9. Click OK
  10. Click OK in the success dialog box and restart all Gatekeepers if the Max concurrent connection option was changed.

Azure AD Settings

You can use Azure AD to sync on reset or change password. In order to configure Azure AD setting in the Gatekeeper Admin Tool, first you have to set up an App in Azure AD and give it the correct permissions.

Requirements

Requirement
Tenant in Azure AD
Subscriptions in Azure AD

Configuring an app in Azure

  1. Login to https://aad.portal.azure.com/
  2. Click on Azure Active Directory. This should bring you to your org's directory.
  3. Click on App Registrations.
  4. Click on New registration.
  5. Enter a name for the app in the Name field.
  6. Using the radio buttons, select the supported account type (Single Tenant or Multitenant)
  7. Click on Register. In the following app summary screen, under the Essentials section, make a note (copy) of the Application (client) ID and the Directory (tenant) ID. These will be used for configuration.
  8. In the left navigation of the app summary screen, click Certificates & Secrets.
  9. Click on New client secret. Enter a description and set an expiry period using the Expiry dropdown, then click Add.
  10. Copy and store the secret in the Value column for the password. This will also be used for configuration.
    NOTE
    When configuring a sync point (Specops Password Sync), note that this value needs to be pasted in the Provider password field in the Sync Point configuration.
  11. In the Azure Active Directory admin center's (left-most) left navigation, click on Azure Active Directory, then click on Roles and administrators.
  12. In the list, click on a role that will be sufficient for resetting passwords.
    NOTE
    For an overview of roles and their permissions, please go to Working with users in Microsoft Graph. Note that the minimum required role for resetting passwords is the Password Administrator role.
  13. Click on Add assignments at the top. The Add Assignments sidebar will open on the right.
  14. In the search box, enter the registered app name, click on the app in the search result list, then click Add at the bottom.

Next steps

Write down or copy the Application (client) ID, Directory (tenant) ID, and the Client Secret, then proceed to configure the Azure AD Settings in the Gatekeeper Admin Tool.

Configuring the Gatekeeper Admin Tool

  1. In the Gatekeeper Admin Tool, select Azure AD Settings.
  2. In the Azure AD Settings field, click Edit.
  3. Enter the Client ID (Application (client) ID).
  4. Enter the Tenant ID (Directory (tenant) ID).
  5. Enter the Client Secret (Client Secret Value).
  6. Click OK.
  7. In the right navigation box, click Test connection to see if a connection to Azure AD was established.

Once the connection is established, the Gatekeeper will start syncing with Azure AD on password reset or change.

Windows Identity

This section shows the settings for Windows Integrated Authentication. These settings can also be edited here.

NOTE
NTLM is a legacy protocol, which is only available to older Specops customers. New customers will have the identity service disabled by default, and will only be able to choose between Disabled or Kerberos.

Windows Integrated Authentication allows users' Active Directory credentials to pass through their browser to a web server, sent hashed (NTLM) or encrypted (Kerberos). Configuring Integrated Authentication for the user will automatically authenticate the user with Windows Identity, and grant the Windows Identity authentication token.

Enabling Integrated Authentication

By default, Integrated Authentication is disabled for new customers. If you want to use Integrated Authentication, do the following:

    NOTE
    It is recommended to use the Group Managed Service Accounts account type during installation of Getekeepers. For more information, see the Group Managed Service Accounts information below.
  1. In the Gatekeeper Admin Tool, select Windows Identity.
  2. In the Integrated Authentication Settings field, click Edit.
  3. In the Select authentication protocol dropdown, select the protocol you want to use: NTLM or Kerberos.
    NOTE
    It is not recommended to use the NTLM protocol. NTLM is a legacy protocol that provides less security. Please consider using the Kerberos protocol instead.
  4. Click OK.
  5. Add the Integrated Authentication url to the Trusted Sites in Internet Options for every client.
    NOTE
    This can be done by adding the URL to the list of Trusted Sites in Windows Control Panel> Internet Options > Security Tab > Trusted Site > Site, then add the URL. It can also be done through the registry. More information on the latter can be found here. Note that the blogpost referenced here deals with a different URL, although the process is the same.

For more information on Windows Identity, please see the Windows Identity page.