Enabling Secondary User Authentication on Windows Clients
Secondary user authentication can be enabled by editing a Windows Client (or a Client group) configuration.
To enable secondary user authentication for a Windows Client (or for all the Clients in a Client group), do the following:
1. Log in to the Management Tool as a user with the Client Configuration Management permission for Clients.
2. Click the Client Management navigation link (on the left).
3. On the Client Management page, find the Windows Client that you want to enable secondary user authentication for, and click on its name in the Client Name column (or select the Client Groups tab, and find the required Client group, and then click on its name in the Client Group Name column).
NOTE: To find specific Clients, the Search box and filters at the top of the Client Management page can be used (or to find specific Client groups, the Search box at the top of the Client Groups page can be used).
4. On the Editing Client (or Editing Client Group) page that opens, select the Authentication Options tab, and in the Two-Factor and Secondary Authentication section, select the Enable secondary user authentication on login checkbox. The text displayed in the Secondary User Authentication login window can also be customized by changing the default text in the text box below this checkbox.
5. To exclude any specific users from needing to log in using secondary user authentication, enter the required user names in the Users to exclude from secondary user authentication field, separated by semicolons (e.g. user1;user2;user3).
6. To exclude all users in any specific Active Directory user groups from needing to log in using secondary user authentication, enter the required Active Directory group names in the Active Directory user groups to exclude from secondary user authentication field, separated by semicolons (e.g. domain_name1\group_name1;domain_name\group_name2;domain_name\group_name3).
NOTE: The "Enable secondary user authentication on login" and the "Allow the use of one-time passwords" options cannot be used together. Neither of them will function correctly if both of these checkboxes are selected.
7. Click the Finish button (in the bottom right of the page) to save the changes.
NOTE: If the Client is (or Clients in the Clients group are) installed on Windows Server 2003, the computer must be restarted after enabling or disabling the secondary user authentication option. In other versions of the Windows operating system, the secondary user authentication option is enabled immediately.