How to safeguard local and remote Windows logons via ADSelfService Plus' endpoint multi-factor authentication

How to safeguard local and remote Windows logons via ADSelfService Plus' endpoint multi-factor authentication

With cyberattacks on the rise, having only passwords as a defense mechanism is no longer safe. An additional filter is required to restrict unauthorized users. ADSelfService Plus handles this situation by supporting multi-factor authentication (MFA) for all Windows login attempts.

Once this feature is enabled, users will be authenticated once using their Active Directory domain credentials and again through any one of the eighteen authentication methods available in ADSelfService Plus.

Prerequisites:

Your ADSelfService Plus license must include Endpoint MFA. Visit the store to purchase Endpoint MFA.
  1. SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab > Product Settings > Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.
  2. Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
  3. Enable the required authentication methods. 
  4. Install ADSelfService Plus login agent for Windows, macOS, and Linux on the machines where you want to enable MFA. 

Steps involved:

  1. Log in to the ADSelfService Plus web console with admin credentials.
  2. Navigate to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
  3. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
    NotesNote: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  4. In the MFA for Machine Login section, check the Enable __ factor authentication box, select the number of authentication methods, and specify which ones you'd like to use from the drop-down.
  5. Click Save Settings.
    NotesNote: Under Advanced → Endpoint settings, ADSelfService Plus offers the Skip MFA when ADSelfService Plus server is down or unreachable option. If this option is not selected, users will not be able to access their machines when ADSelfService Plus is not accessible. However, enabling this option is not recommended, as ADSelfService Plus offers features that ensure constant availability of the product: High Availability and Load Balancing.

With high availability, two instances of the product are created and the secondary instance takes over when the primary instance is down. Load balancing splits the incoming requests to the ADSelfService Plus server among multiple instances to ensure better performance of the product. These features ensure that users have continuous access to the MFA feature and therefore constant access to their machines.

Here's how Windows Logon MFA works:

windows-logon-tfa-workflow



      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products