Configure MFA for a Computer or Server

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

The Logon app enables you to require authentication when users log in to a computer or server. This includes protection for RDP and RD Gateway.

There are two parts to the Logon app:

To configure MFA for a computer or server, you must configure a resource for the Logon app in the AuthPoint management UI and then install the Logon app on each computer or server that you want to protect. For Remote Desktop and RDS connections, you install the Logon app on the hosts that users authenticate to. To protect the RD Gateway server itself, you install the Logon app on the server. To protect the hosts behind the RD Gateway, you install the Logon app on the hosts.

When you install the Logon app, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication (push notification, one-time password, or QR code).

On Windows computers with User Account Control (UAC) enabled, MFA is also required when users try to perform an action that requires administrative privileges, such as when they allow an app to make changes to the device. For more information about Windows User Account Control, refer to the Microsoft documentation.

Users can log in with domain or local user accounts, but all users must have an active AuthPoint user account with an authentication policy for the Logon app. Users that do not have an AuthPoint user account with an authentication policy for the Logon app cannot authenticate and log in to a computer with the Logon app installed unless you enable the option to allow non-AuthPoint users to log in without MFA.

If your AuthPoint license expires or you delete your Logon app resource, users can log in to their computers with only their password.

You can download the Logon app from the Downloads page in the AuthPoint management UI.

Requirements

When you set up and deploy the Logon app, be aware of these requirements:

  • All domain and local users must have an active AuthPoint user account and be part of an AuthPoint group with an authentication policy for the Logon app to authenticate and log in

    You can enable the option to allow non-AuthPoint users to log in without MFA for users that do not have an AuthPoint user account.

  • The user name for local and domain users must be the same as their AuthPoint user name
  • Users synced from Active Directory can only log in with a user name in the domain\user name if the computer is connected to the Internet
  • To log in as a local user (not part of the domain), you must have an AuthPoint user account with an active token
  • If your local user has the same user name as your domain user, you can use the same AuthPoint user to authenticate and log in to both accounts
  • If your local user name is different from your domain user name, you must have a separate AuthPoint user for each user account (one for the domain user and one for the local user)
  • When you install the Logon app, the computer must be connected to the Internet before you log in for the first time
  • If you install the Logon app on a computer in an Active Directory domain, you must configure a group policy to allow domain users to authenticate (log on) locally
  • To support user login with Windows Hello, you must install the Logon app v3.0.0 or higher
  • To support MFA for Windows user account control, you must install the Logon app v3.1 or higher
  • The Logon app supports up to 30 concurrent user logins without an Internet connection

Do not install the Logon app on computers that run Windows 7 or older or on servers that run Windows 2008 R2 or older.

Add a Logon App Resource

To start, you must add a resource for the Logon app. You do not need a separate Logon app resource for each computer that the Logon app is installed on. You can use one Logon app resource for all of your authentication policies, regardless of the OS.

After you add a Logon app resource in AuthPoint, you must add the resource to your existing authentication policies, or add new authentications policies for the Logon app resource that include any user groups that must authenticate to log in to their computers.

To add a Logon app resource:

  1. From the AuthPoint navigation menu, select Resources.

Screen shot of the Resources page.

  1. Click Add Resource.

    The Add Resource page opens.

Screen shot of the Add Resource page.

  1. From the Type drop-down list, select Logon App.
    Additional fields appear.

Screen shot of the Add Resource page.

  1. In the Name text box, type a name for this resource.
  2. (Optional) In the Support Message text box, type a message to show on the logon screen.

Screen shot of the Add Resource page.

  1. From the Access for Non-AuthPoint Users drop-down list, select whether to allow users who do not have an AuthPoint user account to log in to protected computers without MFA. You can choose from three options:
    • Do not allow non-AuthPoint users
    • Allow specific non-AuthPoint users to log in without MFA
    • Allow all non-AuthPoint users to log in without MFA

    Non-AuthPoint users can only log in without MFA if an AuthPoint user account with the same user name does not exist.

  1. If you chose to allow specific non-AuthPoint users to log in without MFA, in the Add User Names text box, type the user name of each non-AuthPoint user that can log in without MFA. You can specify up to 50 non-AuthPoint users that can log in without MFA.

Screen shot of the Add Resource page.

  1. Click Save.
  2. Add the Logon app resource to your existing authentication policies, or add new authentications policies for the Logon app resource (see About AuthPoint Authentication Policies). We recommend that the authentication policy for the Logon app includes the QR code or OTP authentication options so users can authenticate when they are not connected to the Internet.

Download and Install the Logon App

You can use a Windows command prompt to install the Logon app. You can also use the command line option for deployment through Active Directory Group Policy Objects (GPO). To install the Logon app from a Windows command prompt, you must download the Logon app .MSI installer file and configuration file.

When you install the Logon app, the computer you install the Logon app on must connect to the Internet before the user logs on for the first time. This is required so that the Logon app can communicate with AuthPoint to check the authentication policies.

The Logon app stores a copy of the authentication policies locally on the computer. The Logon app uses this local policy file when a user who is offline authenticates, and the local policy file updates when the computer next connects to the Internet. The local policy file stores policy information for only the last 30 user accounts to authenticate. If 30 or more other users authenticated since the last time a user logged in to a computer, an Internet connection is required to log in.

Download the Logon App Installer and Configuration File

To download the Logon app installer and configuration file:

  1. From the navigation menu, select Downloads.
    The Downloads page appears.
  2. In the Logon App section, next to your operating system, click Download Installer.
  3. To download the configuration file for the Logon app, click Download Config. You can use the same configuration file for every installation of the Logon app, regardless of the operating system.

Screen shot that shows the Logon App section of the Downloads page.

Manually Install the Logon App

To manually install the Logon app, on your computer, move the downloaded configuration file to the same directory as the Logon app installer (.MSI or .PKG file). Run the Logon app installer and install the Logon app on the computer or server that you want to protect.

Install the Logon App from a Windows Command Prompt

To install the Logon app from a Windows command prompt:

  1. In the Windows Start menu, right-click Command Prompt and select Run as Administrator.
    A Windows Command Prompt window opens.
  2. Change directory to the location of the .MSI file.
  3. To run the Logon app installer, run one of these commands:
    • To pass the path to the configuration file:
      msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi CONFIG_PATH="[path]\wlconfig.cfg"
    • To pass the content of the configuration file:
      msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi CONFIG_CONTENT="config_file_content_without_spaces"

    Make sure to update the command to match the version of the installer you want to run.

    To install the Logon app silently, with no user interaction required, append /q or /qn to the command. To prevent a computer restart when the installation completes, append /norestart to the command. For more information, see the Microsoft documentation for the msiexec command.

Use an Active Directory GPO to Install the Logon App

You can use the commands described in the previous procedure to install the Logon app remotely on multiple computers through an Active Directory Group Policy Object (GPO). You must use an installation method that supports command line parameters.

You could configure your script to prevent the installation of the Logon app on computers that already have the agent installed.

There are two methods to configure a GPO to install from an .MSI file with command line parameters:

Update the Logon App

The Logon app does not automatically upgrade to the latest version. To upgrade the Logon app, you must download and install the updated version of the agent for Windows or the agent for macOS. The most current version of the agent is available on the Downloads page.

You do not have to uninstall the Logon app or download a new configuration file when you install an updated version of the agent.

To update the agent for Windows:

  1. In the AuthPoint management UI, select Downloads.
  2. In the Logon App section, next to your operating system, click Download Installer. You do not have to download the configuration file.

Screen shot that shows the Logon app section of the Downloads page.

  1. Run the downloaded Logon app installer on the computer or follow the steps in the previous sections to install the agent with the command line or a GPO.

Uninstall the Logon App

You might uninstall the Logon app when you no longer need to protect a computer or server with AuthPoint MFA.

If your AuthPoint license expires and the Logon app is installed, users can log in to their computers with only their password.

If your user login fails, you can still uninstall the Logon app with your computer in Safe Mode.

The Windows Installer (msiserver) does not work by default in Safe Mode. To enable Windows Installer in Safe Mode, you must modify a registry key.

Authentication with the Logon App

When the Logon app is installed on a computer, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication. Which authentication methods are available is determined by the highest authentication policy that includes the Logon app resource and the user's group.

The Logon app for Windows does not validate user passwords until after MFA is complete. When a user enters their password, the Logon app proceeds to the MFA portion of the authentication flow, even if the password is incorrect. After MFA completes successfully, the Logon app validates the password. If the password is incorrect, authentication fails.

If push authentication is enabled, users can select the Automatically send a push notification when I log in check box to make the authentication process easier. When this option is selected, the Logon app automatically sends a push notification to the user after they enter their user name and password.

The Logon app does not support automatic logon for Windows.

To log in to a computer with the Logon app installed:

  1. In the User name text box, type the user name for your domain user. To log in as a local user, type your user name as host name\user name.
  2. In the Password text box, type your Windows or Mac password. For Active Directory user accounts, type your AD password.
  3. Click Next.
    If MFA is required, you see the authentication screen. If the authentication policy for your group only requires a password, you are logged in.
  4. If MFA is required, below Sign-in options, select an authentication option. Push is the default authentication method. If you select a different authentication option, that becomes the default authentication method.

    If your computer does not have an Internet connection and MFA is required, you must select the one-time password or QR code authentication options to authenticate offline.

  5. Press Enter or Return and authenticate.
    • Push — Approve the push notification that is sent to your mobile device.
    • QR Code — Use the AuthPoint mobile app to scan the QR code, then type the verification code shown in the app.
    • One-Time Password — Type the one-time password for your token.

If you do not have your token, you must use the Forgot Token feature to log in to a computer with the Logon app installed. For more information, see Authentication Without Your Mobile Device.

Related Topics

Configure MFA

About AuthPoint Authentication Policies

About Authentication