3.0 Configuring Logon Filter

Logon Filter is a component which should be installed on the Domain Controllers. It increases security by forbidding logging in of users without the Advanced Authentication solution.

Perform the following steps to configure Logon Filter:

  1. Install the Advanced Authentication Logon Filter component on all Domain Controllers.

  2. Enable Logon Filter through the Advanced Authentication - Administrative Portal: Policies section > Logon filter for AD > switch to ON.

  3. Create the following two groups in Active Directory:

    • Legacy logon – add all users to the group (you can just add the Domain Users group to its members).

    • MFA logon – this should be an empty group.

      (you can use any names for the groups)

  4. Navigate in the Advanced Authentication - Administrative Portal:

    Repositories > specify a used Active Directory repository > scroll down > expand Advanced settings > scroll to the bottom.

  5. Point Legacy logon tag to the Legacy logon group and MFA logon tag to the MFA logon group.

    NOTE:Legacy logon tag must point to a group in the Active Directory that must include all the users. It should be a custom group. The built-in groups like Domain Users are not supported. The users can be members of the group directly or you can add another custom group with users to the group. MFA logon tag should point to an empty group in Active Directory. When a user logs in, Logon Filter checks the user’s authentication. If the user uses the Advanced Authentication, then the user is automatically moved to the group specified in the MFA logon tag field

  6. Scroll up and enter a Password in the Repository Settings.

  7. Scroll down and click Save.

  8. Wait for a minute.

  9. Ensure that Advanced Authentication Windows Client is installed on all required workstations.

  10. When you are ready to prohibit logon on all workstations which do not have the AA Windows Client installed, configure the Microsoft policy Allow log on locally in the Default Domain Policy or a custom GPO to allow logon for only MFA logon group using the following steps:.

    1. On a Domain Controller, open Group Policy Management Editor by entering gpmc.msc in the search box.

    2. Double-click the name of the forest, double-click Domains, and then double-click the name of the domain in which you want to join a group.

    3. Right-click Default Domain Policy, and then click Edit.

    4. In the console tree, expand and navigate to Computer Configuration > Policies > WindowsSettings >Security Settings > Local Policies > User Rights Assignment.

    5. In the right pane, double-click Allow Log on Locally.

    6. Click Add User or Group.

    7. Specify a group which is pointed in the MFA logon tag.

    8. Click OK.

    9. Click OK in the Allow log on locally Properties dialog box.

    NOTE:The above steps prohibits the users without NetIQ Windows Client installed (only on workstations joined to the domain) from logging on to the workstations. A user with the NetIQ Windows Client installed will be automatically moved from a group pointed to the Legacy logon tag to a group pointed to the MFA logon tag.