4.1 Configuring the Logon Filter

  1. Install the Advanced Authentication Logon Filter component on all the Domain Controllers.

  2. Enable Logon Filter through the Advanced Authentication Administration portal Policies > Logon filter for AD.

  3. Create the following two groups using the Global type in Active Directory:

    • Legacy logon: Add all users to the group (you can add the Domain Users group to its members).

    • MFA logon: This group must be an empty group.

      You can use any names for the groups.

  4. In the Advanced Authentication Administration portal Repositories section, specify an Active Directory repository.

  5. Expand the Advanced settings.

  6. Point Legacy logon tag to the Legacy logon group and MFA logon tag to the MFA logon group.

    NOTE:Legacy logon tag must point to a group in the Active Directory that must include all the users. It should be a custom group. The built-in groups like Domain Users are not supported. The users can be members of the group directly or you can add another custom group with users to the group. MFA logon tag must point to an empty group in the Active Directory.

    When a user logs in to Windows and the Logon Filter is enabled, Advanced Authentication Windows Client prepares a cookie, which is sent to the Domain Controller, and then is validated on the Advanced Authentication server. After the validation, Advanced Authentication server returns a username to the Domain Controller that verifies the group membership. If the group membership contains Legacy logon tag, the group is replaced with an MFA logon tag.

  7. Specify a Password in the Repository settings.

  8. Click Save.

  9. You can configure MFA tags per chain. To do this, specify the MFA tags in the Advanced settings of the chain settings. For example, if you specify a Card users group from Active Directory in MFA tags for LDAP Password+Card chain, then the users who use the chain will be moved from the Legacy logon group to the Card users group.

  10. Ensure that Advanced Authentication Windows Client is installed on all the required workstations.

NOTE:During the login, a user with the NetIQ Windows Client installed will be automatically moved from a group pointed to the Legacy logon tag to a group pointed to the MFA logon tag.

The group specified in the MFA logon tag is added to the user token, so all Kerberos tickets will have it no matter what the service is requested.

The MFA tag does not work while connecting to Remote Desktop, if the user credentials were saved with Remember my credentials.