Windows Logon Agent - Authentication Methods
Authentication is a process to verify that the credentials presented are authentic. The agent offers following authentication methods:
Domain/Workgroup Authentication
Domain Authentication refers to the Multi-factor Authentication of a domain user through STA. Workgroup Authentication refers to the Multi-factor Authentication of a local user through STA. The following flow diagram illustrates the user authentication while accessing the domain or local workstation login:
-
After invoking the workstation logon, the user is presented with the agent login screen.
-
If Multi-Factor Authentication is required, the user enters the credential of the supported second factor authentication, for example, OTP. The entered credentials are then sent to the STA for verification.
-
If the STA credentials are valid, the user is prompted for Microsoft credentials.
- If the user is part of the domain, the credentials are validated by the Active Directory (AD).
- If the user is part of the local workstation, the credentials are validated by the user’s workstation.
-
On successful validation of the Microsoft credentials, the user is logged on to the WLA-installed machine.
Offline Authentication
The SafeNet Agent for Windows Logon supports offline authentication, which enables users to log on to Windows machines securely using a SafeNet OTP when there is no connection to STA.
To use offline authentication, the user must have had logged on online at least once. After successful online login, the offline tokens are replenished automatically. While online, the user (with admin rights) can also manually replenish the offline tokens through the management console.
Refer to the System Requirements section to see the supported tokens in Offline Authentication mode.
Offline authentication is not supported in the Remote Desktop Public (RDP) mode.
The following flow diagram illustrates the user authentication while accessing the workstation in offline mode:
-
After invoking the workstation logon, the offline user is presented with the agent login screen.
-
If Multi-Factor Authentication is required, the user enters the credential of the supported second factor authentication, for example, OTP. The entered credentials are then verified by the offline authentication OTP stored on the local workstation. Otherwise, if the offline user is part of a local group authentication exception, the credentials are passed to the local workstation.
-
If the STA credentials are valid, the user is prompted for Microsoft credentials.
-
On successful validation of the Microsoft credentials, the user is logged on to the WLA-installed machine.
RDP Authentication
The following describes the RDP authentication flow for different scenarios when a user tries to access the remote machine:
Management Console Setting | RDP Scenarios | ||
---|---|---|---|
Allow Outgoing RDP connection without OTP | Agent installed on remote machine but not on local machine | Agent installed on both local and remote machine | Agent installed on local machine but not on remote machine |
Enabled | Microsoft credentials > SafeNet OTP | Microsoft credentials > SafeNet OTP | Microsoft credentials |
Disabled | Microsoft credentials > SafeNet OTP | SafeNet OTP of local machine > Microsoft credentials of remote machine > SafeNet OTP of remote machine | SafeNet OTP of local machine > Microsoft credentials of remote machine |
-
After invoking the RDP session, the user is presented with the RDP prompt.
-
The user enters the Microsoft password.
-
If the Microsoft credentials are valid, the user enters the credential of the supported second factor authentication, for example, OTP. The entered credentials are then sent to the SafeNet server for verification.
-
If the SafeNet credentials are valid, the user is logged on to the WLA-installed machine.
RDP use cases are not supported for Passwordless Windows Logon. RDP falls back to the AD password and logon policies, as configured.