Configure MFA for a Computer or Server

The Logon app enables you to require authentication when users log in to a computer or server. This includes protection for RDP and RD Gateway.

There are two parts to the Logon app:

To configure MFA for a computer or server, you must configure a resource for the Logon app in the AuthPoint management UI and then install the Logon app on each computer or server that you want to protect. For Remote Desktop and RDS connections, you install the Logon app on the hosts that users authenticate to.

When you install the Logon app, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication (push notification, one-time password, or QR code).

Users can log in with domain or local user accounts, but all users must have an active AuthPoint user account with an access policy for the Logon app. Users that do not have an AuthPoint user account with an access policy for the Logon app cannot authenticate and log in to a computer with the Logon app installed unless you enable the option to allow specific non-AuthPoint users to log in without MFA.

If your AuthPoint license expires or you delete your Logon app resource, users can log in to their computers with only their password.

You can download the Logon app from the Downloads page in the AuthPoint management UI.

Requirements

When you set up and deploy the Logon app, be aware of these requirements:

  • All domain and local users must have an active AuthPoint user account and be part of an AuthPoint group with an access policy for the Logon app to authenticate and log in

    You can enable the option to allow specific non-AuthPoint users to log in without MFA for users that do not have an AuthPoint user account.

  • The user name for local and domain users must be the same as their AuthPoint user name
  • To log in as a local user (not part of the domain), you must have an AuthPoint user account with an active token
  • If your local user has the same user name as your domain user, you can use the same AuthPoint user to authenticate and log in to both accounts
  • If your local user name is different from your domain user name, you must have a separate AuthPoint user for each user account (one for the domain user and one for the local user)
  • When you install the Logon app, the computer must be connected to the Internet before you log in for the first time
  • If you install the Logon app on a computer in an Active Directory domain, you must configure a group policy to allow domain users to authenticate (log on) locally

Do not install the Logon app on computers that run Windows 7 or older or on servers that run Windows 2008 R2 or older.

Add a Logon App Resource

To start, you must add a resource for the Logon app. You do not need a separate Logon app resource for each computer that the Logon app is installed on. You can use one Logon app resource to create access policies for every group, regardless of the OS.

After you add a Logon app resource in AuthPoint, you must add an access policy for the Logon app to any user groups that must authenticate to log in to their computers.

To add a Logon app resource:

  1. Select Resources.
  2. From the Choose a resource type drop-down list, select Logon App. Click Add Resource.

  1. On the Logon App page, in the Name text box, type a name for this resource.
  2. (Optional) In the Support Message text box, type a message to show on the logon screen.
  3. To allow specific users that do not have an AuthPoint user account to log in without MFA, enable the Allow specific users to log in without MFA toggle.

  1. In the Add User Names text box, type the user name of each non-AuthPoint user that can log in without MFA.

    You can specify up to 50 non-AuthPoint users that can log in without MFA.

  1. Click Save.
  2. Add an access policy for the Logon app resource to one or more user groups (see Access Policies). We recommend that the access policy for the Logon app includes the QR code or OTP authentication options so users can authenticate when they are not connected to the Internet.

Download and Install the Logon App

You can use a Windows command prompt to install the Logon app. You can also use the command line option for deployment through Active Directory Group Policy Objects (GPO). To install the Logon app from a Windows command prompt, you must download the Logon app .MSI installer file and configuration file.

When you install the Logon app, the computer you install the Logon app on must connect to the Internet before the user logs on for the first time. This is required so that the Logon app can communicate with AuthPoint to check the access policy.

The Logon app stores a copy of the access policy locally on the computer. The Logon app uses this local policy when a user authenticates offline, and it is updated when the computer next connects to the Internet.

Download the Logon App Installer and Configuration File

To download the Logon app installer and configuration file:

  1. From the navigation menu, select Downloads.
    The Downloads page appears.
  2. In the Logon App section, next to your operating system, click Download Installer.
  3. To download the configuration file for the Logon app, click Download Config. You can use the same configuration file for every installation of the Logon app, regardless of the operating system.

Manually Install the Logon App

To manually install the Logon app, on your computer, move the downloaded configuration file to the same directory as the Logon app installer (.MSI file). Run the Logon app installer and install the Logon app on the computer or server that you want to protect.

Install the Logon App from a Windows Command Prompt

To install the logon app from a Windows command prompt:

  1. In the Windows Start menu, right-click Command Prompt and select Run as Administrator.
    A Windows Command Prompt window opens.
  2. Change directory to the location of the .MSI file.
  3. To run the Logon app installer, run one of these commands:
    • To pass the path to the configuration file:
      msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi CONFIG_PATH="C:/wlconfig.cfg"
    • To pass the content of the configuration file:
      msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi CONFIG_CONTENT="config_file_content_without_spaces"
    • If the installer and the configuration file are in the same location:
      msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi

    Make sure to update the command to match the version of the installer you want to run.

Use an Active Directory GPO to Install the Logon App

You can use the commands described in the previous procedure to install the Logon app remotely on multiple computers through an Active Directory Group Policy Object (GPO). You must use an installation method that supports command line parameters.

There are two methods to configure a GPO to install from an .MSI file with command line parameters:

Update the Logon App

The Logon app (AuthPoint agent for Windows) does not automatically upgrade to the latest version. To upgrade the Logon app, you must download and install the updated version of the agent for Windows. The most current version of the agent is available on the Downloads page.

You do not have to uninstall the AuthPoint agent for Windows or download a new configuration file when you install an updated version.

To update the agent for Windows:

  1. In the AuthPoint management UI, select Downloads.
  2. In the Logon App section, next to your operating system, click Download Installer. You do not have to download the configuration file.

  1. Run the downloaded agent for Windows installer on the computer or follow the steps in the previous sections to install the agent with the command line or a GPO.

Uninstall the Logon App

You might uninstall the Logon app when you no longer need to protect a computer or server with AuthPoint MFA.

If your AuthPoint license expires and the Logon app is installed, users can log in to their computers with only their password.

If your user login fails, you can still uninstall the Logon app with your computer in Safe Mode.

The Windows Installer (msiserver) does not work by default in Safe Mode. To enable Windows Installer in Safe Mode, you must modify a registry key.

Authentication with the Logon App

When the Logon app is installed on a computer, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication. Which authentication methods are available is determined by the access policy of the Logon app for that user's AuthPoint group.

If push authentication is enabled, users can select the Automatically send a push notification when I log in check box to make the authentication process easier. When this option is selected, the Logon app automatically sends a push notification to the user after they enter their user name and password.

The Logon app does not support automatic logon for Windows.

To log in to a computer with the Logon app installed:

  1. In the User name text box, type the user name for your domain user. To log in as a local user, type your user name as <hostname>\<username>.
  2. In the Password text box, type your Windows or Mac password. For Active Directory user accounts, type your AD password.
  3. Click Next.
    If MFA is required, you see the authentication screen. If the access policy for your group only requires a password, you are logged in.
  4. If MFA is required, below Sign-in options, select an authentication option. Push is the default authentication method. If you select a different authentication option, that becomes the default authentication method.

    If your computer does not have an Internet connection and MFA is required, you must select the one-time password or QR code authentication options to authenticate offline.

  5. Press Enter or Return and authenticate.
    • Push — Approve the push notification that is sent to your mobile device.
    • QR Code — Use the AuthPoint mobile app to scan the QR code, then type the verification code shown in the app.
    • One-Time Password — Type the one-time password for your token.

If you do not have your token, you must use the Forgot Token feature to log in to a computer with the Logon app installed. For more information, see Authentication Without Your Mobile Device.

See Also

Configure MFA

Access Policies

About Authentication