Account
On the Account page you can add multiple domains to your Specops Authentication organization account, manage CAPTCHA settings, and manage custom email settings.
Domain names
To add multiple domains to your organization account.
- Select Account in Authentication Web.
- In the Domain names tab, click Add new.
- Enter the domain name in the Domain name field, and click Save.
You can designate domains associated with your account as verified to ensure an extra level of security. You can read more about Domain Verification here.
Domain Name Protection ensures that your Specops Authentication account cannot be accessed automatically using your registered domain name. You can read more about Domain Name Protection here.
Preferred Domain
When you have multiple domains registered, you can designate one of them to be the preferred domain. This will then be the domain shown in all URLs associated with Specops Authentication after the ?domain= parameter (Admin pages, enrollment, etc.).
Setting the Preferred Domain
- Select Account in Authentication Web.
- In the Domain names list, click Edit for the domain you want to set as the preferred domain.
- Select the Set as preferred domain checkbox.
- Click Save.
CAPTCHA
In this tab you can configure the settings to dynamically display a CAPTCHA. CAPTCHA is used to prevent scripted username harvesting. This setting will protect the endpoints where a user enters their username. If CAPTCHA is enabled, any suspicious attempts at accessing the endpoints will prompt the user with a CAPTCHA challenge. The Google reCAPTCHA technology is used. It is recommended to enable CAPTCHA.
You can set CAPTCHA to one of the following:
- Disable Captcha: disables CAPTCHA entirely.
- Enabled Captcha for requests from untrusted network locations: when Trusted Network Locations is enabled, this option will enable CAPTCHA only for users connecting from IP addresses outside of your trusted network locations.
- Enable Captcha always: this enables Captcha for all users.
CAPTCHA for ADAL Browsers
The ADAL browser is a custom browser from Microsoft that is used to perform a delegated authentication from, for example Microsoft Outlook or Microsoft Word. These browsers are not fully compatible with Google reCAPTCHA and the end user may be presented with many CAPTCHA challenges in succession. To prevent users from being presented with multiple CAPTCHA challenges, you can check the the CAPTCHA Enabled in ADAL browsers checkbox.
Email Settings
Note
If SMTP settings have been configured in the Gatekeeper Admin Tool to use your own SMTP provider instead of the Specops Default Configuration (which uses third-party providers, such as SendGrid), this section will be disabled. In order to use the Default Configuration and configure the email settings here, log in to the Gatekeeper Admin Tool, go to Email configuration, click Edit, and change the dropdown to Specops Default Configuration.
If you would like to have enrollment-, authentication-, and user identity verification emails sent from a custom email address, you can configure this here.
Note
Setting this email address will not change your notification settings (e.g. for Specops uReset notifications).
- Click on the Email settings tab.
- Click on the current email to enter the Email settings.
-
Set the Sender Display Name, the Sender Address, and select the domain from the dropdown.
Note
Only your verified domains and any additional domains you have registered will appear in the dropdown. For more information on email notifications from SA, see this knowledge base article.
-
Click Save.
Note
Clicking Reset to System Default will revert the email settings back to the default email address set by Specops (from specopssoft.com). This will delete the current email setting.
Configuring DKIM Records for Email
DomainKeys Identified Mail (DKIM) is an authentication standard used to prevent email spoofing. Specifically, DKIM attempts to prevent the spoofing of a domain that's used to deliver email.
DKIM employs the concept of a domain owner who controls the DNS records for a domain. When sending email with DKIM enabled, the sending server signs the messages with a private key. A domain owner also adds a DKIM record, which is a modified TXT record, to the DNS records on sending domain. This TXT record will contain a public key that's used by receiving mail servers to verify a message's signature.
- Send a request for DKIM to Product Support (you can use this form).
- Product Support generates a DKIM record, which is sent to you.
- Add the DKIM record to your DNS record.
- Once added, Product Support can verify the existence of the record.
Information
The Information tab displays information on account creation date and the date the terms of service were accepted.
System settings
Select a location for system settings, such as identity service configurations, connection to Microsoft Entra ID and similar configurations. The location can be saved to your organization's Active Directory or in the Specops Cloud.
Username Protection
Username Protection prevents user enumeration during authentication. When enabled, the authentication flow behaves identically whether a username exists or not. This prevents malicious actors from discovering valid usernames based on system responses.
From a security perspective, this reduces the risk of username harvesting and targeted attacks. The trade-off is that users will not receive immediate feedback if they mistype their username. Instead, they appear able to complete the authentication process, but will ultimately be unable to sign in if the username does not exist. This is expected behavior and is part of ensuring consistent responses.
If a non-existent username is entered, the user is allowed to proceed through the authentication flow as usual, but authentication will always fail at the final step. Non-existent users appear to proceed through authentication but will never be able to complete sign-in. No error messages or visual cues indicate whether the username was valid.
During authentication, the entered username is displayed as “Signing in as: <username>” at the bottom of the page before the user has been fully authenticated. The username is not shown in the top-right user menu until authentication has successfully completed. This ensures a consistent experience regardless of username validity.
Enabling Username Protection
To configure Username Protection:
- Log in to Specops Authentication Admin pages.
- Select Account.
- Select the Username Protection tab.
- Click Enable.
Username Protection is disabled by default to favor convenience and clear feedback for end users. Users gets informed early if a username does not exist, which can help resolving simple typing mistakes.
When Username Protection is enabled, however, the system enforces identical authentication behavior for both existing and non-existing usernames. Enabling the feature requires explicit confirmation, as users will no longer be prompted when a username is misspelled.
Configuring Additional Username Formats
-
When Username Protection is disabled, administrators can allow users to sign in using their email address. Click Save to confirm the selection.
The email address, along with the UPN and sAMAccountName username formats, will be used when searching for users.
-
When Username Protection is enabled, the username format handling becomes automatic to ensure reliable and consistent identification. Manual configuration of allowed username formats is no longer available.
Delete Account
Accounts can be deleted by contacting Specops.