This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JashUpadhyay
Occasional Contributor
Occasional Contributor
ā€Ž2017-07-21 01:45 AM

How to enable administrator with two factor authentication?

Jump to solution

Hi Team 

 

I am working on a case where I want administrators need to enter Pass-code and Domain password to log in. While Installing the agent file in the Windows system I un-checked the box for exclusion for administrator. When I tested with a domain admin user and local admin user, it is still taking the domain password and not the passcode+domain password.

Kindly suggest me how should I enable two factor for all types of administrators.

 

Regards

Jash Upadhyay

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
ā€Ž2017-07-21 08:15 AM

Jump to solution

You need to look at the GPO's and enable the one for challenge users, and pick administrators group. RSA Control Center app is limited and allows you to look at the settings, but the GPO templates (gpedit.msc) are how to enable/disable 'RSA agent for windows' settings.

View solution in original post

Reply
3 Replies
SGTech
Respected Contributor
Respected Contributor
ā€Ž2017-07-21 03:26 AM

Jump to solution

Hi Jash Upadhyay , Can you create group for those administrators and challenge them from RSA control center,  it may helps.

0 Likes
Reply
EdwardDavis
Employee
Employee
ā€Ž2017-07-21 08:15 AM

Jump to solution

You need to look at the GPO's and enable the one for challenge users, and pick administrators group. RSA Control Center app is limited and allows you to look at the settings, but the GPO templates (gpedit.msc) are how to enable/disable 'RSA agent for windows' settings.

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to EdwardDavis
ā€Ž2017-07-21 08:50 AM

Jump to solution

If you do not have access to the GPOs, or they are managed by another group and claim they are setup correctly but you cannot see them, you can enable verbose Windows Authentication Agent Logging in the RSA Control Center.under Advanced Tools

LAC_Verbose_Tracing2.png

The SIDAuthenticator* files usually have the Challenge settings, but if you check all files you won't need to go back later. 

LAC_Verbose_Tracing_allFiles.png

Challenge can be seen in SIDAuthenticator(LogonUI).log, search for 'challenged' and you should see something like

2017-06-30 17:17:50.720 8644.5848 [LACAuthenticator::isChallenged] getChallengeType has determined that the user is challenged.

You'll need to look earlier than this to find the reason.  It might be simple such as user is a member of the Challenge group, but other times you find errors in the lookup, and a default setting to challenge everyone if the group lookup fails

2017-06-30 17:17:50.715 8644.5848 [ADSIHelper::getGroupDnLDAPPath] Caught HRESULT: Name translation: Could not find the name or insufficient right to see name.

Open a support case for help on reading these verbose files. 

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.