Wikis - Page

Configuring Advanced Authentication for Non Domain Workstations

1 Likes

This document provides information on how to configure Advanced Authentication for workstations that are not domain joined (e.g. meeting room laptops etc).

The solution allows (domain) users to login using 2-Factor authentication instead of login with the local account.

To configure you’ll have to perform the following configuration tasks:

    • Configure the Advanced Authentication Methods and Chains

 

    • Configure the Advanced Authentication Event

 

    • Install and configure the Advanced Authentication Windows Client

 

    • Map domain user to local account during first login



 

Configure the Advanced Authentication Methods and Chains



    1. Open the Advanced Authentication Administration portal

 

    1. Click Methods and configure your authentication methods (I configured the Smartphone method)

 

    1. Configure the Emergency Password method, this allows you to specify an emergency password for a user in case he forgot or lost his Smartphone, Key etc.

 

    1. Click Chains and create a new chain with you previously configured methods, make sure that the Emergency Password method is the first on the list.



 

Configure the Advanced Authentication Event



    1. Open the Advanced Authentication Administration portal

 

    1. Click Events > Add a new Event e.g. WinStandalone

 

    1. Set Is enabled to ON

 

    1. Set Event type to Generic

 

    1. Move one or more chains from Available to Used list. Ensure that the chains are assigned to the appropriate group of users in Roles & Groups of the Chains section

 

    1. Click Save in Event



 

Install and configure the Advanced Authentication Windows Client



    1. Sign-in to the workstation with the local account

 

    1. Install the Advanced Authentication Windows Client, e.g. naaf-winclient-x64-release-6.1-50.msi

 

    1. After the installation don’t reboot and create the properties file in C:\ProgramData\NetIQ\Windows Client directory (you have to manually create the Windows Client folder)

 

    1. Specify the following settings

      disable_local_accounts: true
      discovery.host: AAFSERVERDNS or IP
      event_name: WinStandalone



Instead of specifying the discovery.host you may configure your DNS to discover the AAF server using the steps mentioned in the documentation:
https://www.netiq.com/documentation/advanced-authentication-61/windows-client-installation-guide/data/t484px11yu43.html#how_to_set_dns_for_server_discovery

In a non-DNS mode, it is recommended to disable the local accounts. For more information, see documentation:
https://www.netiq.com/documentation/advanced-authentication-61/windows-client-installation-guide/data/t47magk1zjg3.html#b1mmuyk7

    1. Reboot the workstation




Map domain user to local account during first login


Login with a domain user e.g. mydomain\bob
After the authentication you need to map the domain user account to the local account, this is done by login with the local account.

This step needs to be done for every domain user once, after that the users can login with their LDAP credentials and second factor (in this case Smartphone).

 

Labels:

How To-Best Practice
Comment List
Related
Recommended