This document provides information on how to configure Advanced Authentication for workstations that are not domain joined (e.g. meeting room laptops etc).

The solution allows (domain) users to login using 2-Factor authentication instead of login with the local account.

To configure you’ll have to perform the following configuration tasks:

  • Configure the Advanced Authentication Methods and Chains
  • Configure the Advanced Authentication Event
  • Install and configure the Advanced Authentication Windows Client
  • Map domain user to local account during first login

 

Configure the Advanced Authentication Methods and Chains

  1. Open the Advanced Authentication Administration portal
  2. Click Methods and configure your authentication methods (I configured the Smartphone method)
  3. Configure the Emergency Password method, this allows you to specify an emergency password for a user in case he forgot or lost his Smartphone, Key etc.
  4. Click Chains and create a new chain with you previously configured methods, make sure that the Emergency Password method is the first on the list.

 

Configure the Advanced Authentication Event

  1. Open the Advanced Authentication Administration portal
  2. Click Events > Add a new Event e.g. WinStandalone
  3. Set Is enabled to ON
  4. Set Event type to Generic
  5. Move one or more chains from Available to Used list. Ensure that the chains are assigned to the appropriate group of users in Roles & Groups of the Chains section
  6. Click Save in Event

 

Install and configure the Advanced Authentication Windows Client

  1. Sign-in to the workstation with the local account
  2. Install the Advanced Authentication Windows Client, e.g. naaf-winclient-x64-release-6.1-50.msi
  3. After the installation don’t reboot and create the properties file in C:\ProgramData\NetIQ\Windows Client directory (you have to manually create the Windows Client folder)
  4. Specify the following settings

    disable_local_accounts: true
    discovery.host: AAFSERVERDNS or IP
    event_name: WinStandalone

Instead of specifying the discovery.host you may configure your DNS to discover the AAF server using the steps mentioned in the documentation:
https://www.netiq.com/documentation/advanced-authentication-61/windows-client-installation-guide/data/t484px11yu43.html#how_to_set_dns_for_server_discovery

In a non-DNS mode, it is recommended to disable the local accounts. For more information, see documentation:
https://www.netiq.com/documentation/advanced-authentication-61/windows-client-installation-guide/data/t47magk1zjg3.html#b1mmuyk7

  1. Reboot the workstation

Map domain user to local account during first login

Login with a domain user e.g. mydomain\bob
After the authentication you need to map the domain user account to the local account, this is done by login with the local account.

This step needs to be done for every domain user once, after that the users can login with their LDAP credentials and second factor (in this case Smartphone).

 

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: whenz
Feb 14, 2019
9:53 am
Reads:
271
Score:
Unrated
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow