Before enabling secondary authentication, you must ensure that you have performed all the configuration steps in the same order as mentioned in Checklist to Follow Before Enabling Secondary Authentication. If Advanced authentication server is not configured, there will be issues when users try to login or try to get privileged access for an endpoint.
You can enable advanced authentication feature for authenticating users who access the following:
Administration console
Host servers such as Windows, SSH.
Applications or database by retrieving Passwords or shared keys from the user console
You can allow a framework user group or all privileged users to have privileged access without prompting for secondary authentication. To allow this access, Privileged Account Manager provides the Bypass Secondary Authentication option.
This option is helpful for framework users in the following scenario:
In case of some emergency, Privileged Account Manager administrators can log in to Privileged Account Manager Administration console without being asked for secondary authentication. This can happen only if the administrator is in a user group that has the option enabled. To enable this option for a user group refer, Enabling Advanced Authentication for Administration Console. The users who may require to be a part of the same group are:
Identity Manager users using the driver for Privileged Account Manager
Any other users who perform Privileged Account Manager administrative activities through automation.
This option is also available as a global setting where you can bypass secondary authentication on the parent rule. This is helpful so that in case of emergency such as when Advanced Authentication server is down, you can enforce bypassing secondary authentication for all the rules. To enforce this global rule perform the following procedure:
On the home page of the administration console, click Command Control.
In the command control pane, click Command Control.
In the details pane, click Secondary Authentication Setting.
On the Bypass Secondary Authentication for all Policies option, Click Yes.
By default this option is set to No.
You can enable Advanced Authentication for the Administration console to allow access only to the users who pass the secondary authentication.
To enable advanced Authentication for Administration console, Privileged Account Manager administrator must perform the following:
On the home page of the Administration Console, click Framework User Manager.
In the left pane, click Account Settings.
In the right pane, click Secondary Authentication Required.
This setting ensures that the Framework users are prompted for secondary authentication to log in to the administration console
Add a separate user group that has the Bypass Secondary Authentication option selected.
NOTE:You must create this user group so that when there is some problem with Advanced Authentication server, the users in this group must be able to login to Privileged Account Manager without being prompted for secondary authentication.
Add the primary administrator to that group.
This allows the users in that group to access Privileged Account Manager without prompting for secondary authentication. For more information about selecting the Bypass Secondary Authentication option referModifying a Framework User Group.
You can enable advanced authentication for all endpoints by adding a parent rule at the beginning of the rule’s tree and selecting the Secondary Authentication check box. Also, you can enable secondary authentication for any required rule, for example, you may choose to enable secondary authentication only when particular group of users are accessing certain servers. In this scenario, you can create a rule accordingly and enable secondary authentication only for that rule. For more information about rules, refer Adding a Rule.
The advanced authentication can be enabled only for the rules that include the following:
Secure Shell Relay
Secure Shell session initiation through the user console.
Remote Desktop Relay
Privileged Account Manager Credential Provider for Windows
Password check out through user console
Shared key check out through user console
NOTE:Secure Shell Relay and Privileged Account Manager Credential Provider rules does not support the advanced authentication methods smart card, fingerprint, and RFID card.
Privileged Account Manager does not support secondary authentication for command-based privileged access such as, pcksh, usrun, and for Run as Privileged User, You must not enable secondary authentication for these rules.
To enable advanced authentication on a rule for privileged access to the end-points, you must modify the required rule by selecting Yes for the Secondary Authentication option. For more information about modifying a rule, refer Modifying a Rule.