Documentation

 

 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NOTE: To use the proxy bypass feature with Windows, a proxy server and proxy bypass list must be configured. See Login for Windows Installer Configuration for information about configuring the proxy server and proxy bypass list. Windows 7 or Windows Server 2008 R2 is required to use legacy_http_communication set to true in the config.json file.

End user

First-time usage requirements

...

  1. On the Login for Endpoints Installer Configuration page, select Windows as the Endpoint Operating System.
  2. Select the Endpoint Type to specify that either a single user or multiple users can log on the device.

    Single user: The last user logged into the endpoint login screen is remembered and does not need to log in again.

    Multiple users: Each user must enter their username to log in.

    NOTE: For the single user selection, after the user has successfully logged on the endpoint online, thereafter the user can log on the endpoint when offline without an Internet connection.
  3. Enter the IdP Hostname.
  4. Under Multi-Factor Authentication Settings, specify whether the user must use multi-factor authentication to access the device from a desktop and/or remote desktop session.
  5. Anchor
    gbypass
    gbypass
    If any user group is allowed to bypass multi-factor authentication, enable the bypass option and list the user groups.
    1. Select Users are a member of the following groups. Add the user groups in the fill-in field.
    2. Alternatively, you can add groups manually by adding the group_bypass key to the config.json file, described in Optional: Add groups that can bypass MFA

      Group Bypass configuration notes:

      * If using Adaptive Authentication AND the group bypass feature, Adaptive Authentication takes precedence for handling the user's login request and group bypass is checked next.

      * In a multi-forest Active Directory (AD) environment, the user account must be included on each domain to bypass multi-factor authentication on any domain.

      * Login for Windows supports the group bypass feature when users are online and offline. An internal group cache performs validations when AD is unreachable.

      * Users who need to log in without being prompted for additional MFA must belong to a local or domain group that is set up in the bypass option. Add local users only to the local group.

      * The group specified must be a top-level group; nested groups are not supported.

      If using a proxy bypass, you must configure the proxy server and proxy bypass list, which is a list of hosts to use to bypass the proxy.Proxy Server and Proxy Bypass List configuration notes:

      The following order is used:

      Anchor
      proxyserver
      proxyserver
      A. "proxy_server" and "proxy_bypass" configuration from config.json file. These settings are derived from entries made in the Web Admin Login for Endpoints Installer Configuration section. A "proxy_server" can be configured on the Windows OS, but if present as a root parameter in the config.json file, takes precedence over the OS setting. The format to configure the proxy is: "http://[user[:password]@]host[:port]\"

      Anchor
      legacy
      legacy
      Parameters surrounded by [ ] are optional. Both "user" and "password" are not supported on HTTP clients on Login for Windows version 19.06 and earlier, or on 19.09.xx or later that choose to use the legacy HTTP client by setting "legacy_http_communication”: true in the config.json file.

      B. The "proxy_bypass" is a semicolon-separated list of server names or IP addresses to be excluded from proxy usage, for example: ".acme.sec;.lore.sec;.acme-ppi.com;10...;192.168..

      Each item in the list must be one of the following:

      * Fully-qualified domain name (FQDN)
      * Full IP address
      * Partial IP address with the following forms: Class A example = 10.* or Class B example = .16. or Class C example = .168.*
      * Sub-domain name of a parent domain, where the parent is " .parent.domain.name" The following is an example of a domain that uses direct communication with mail.google.com, but does not communicate with google.com itself: *.google.com

      C. Windows proxy configuration. See the Netsh.exe and ProxyCfg.exe Proxy Configuration Tools article on the Microsoft website.e
  6. If enabling Password Reset, specify either the SecureAuth IdP realm or the web page URL the user can access for resetting a password.
  7. If Alternate Credential Providers are permitted, specify if non-SecureAuth credential providers and other credential providers, such as card scanners, can be used.

    Alternate Credential Provider notes

    * By enabling alternate credential providers, users will be able log in without using the Login for Windows credential provider, and potentially bypass multi-factor authentication.

    * Enabling alternate credential providers is only recommended in test environments, to let testers bypass Login for Windows so they can readily access their machines.

    * If the default Windows Credential Provider is enabled, users will see their normal login prompt and will have to manually select a different login option to use Login for Windows.
  8. Anchor
    json
    json
    Click Download Installer Config to download the JSON file (config.json). The JSON file must first be configured before it can be used with the MSI file, as described in the Installation section of this guide.

    NOTE: Before installation, config.json must be edited if the end user is not always required to use multi-factor authentication for logging on a local console or remote console. See the Set end user access level section for access level settings and configuration.

...