Secondary User Authentication on Windows Clients

If the Client is installed on a computer running the Windows operating system, and if multiple users may use the same account to log in to this computer, it is important to also identify the individual person using the account.

Identification of the individual can be performed by means of secondary user authentication, which requires the user to enter additional credentials in a pop-up window after logging in.

If secondary user authentication is enabled, the user will be prompted to enter the credentials of an Ekran System user who has the Access to Endpoint via Secondary Auth. permission for Clients.

The secondary user name will then be displayed in the list of Client Sessions, in brackets after the user name under which the user is logged in to Windows.

NOTE: Secondary user authentication works even if there is a no connection between the Client computer and the Application Server computer (i.e. in offline mode), but only for users who have previously logged in to the Client computer at least once using secondary user authentication when there was an active connection. In rare technical cases (e.g. involving re-installing Clients) it may happen that a user cannot log in, in which case an administrator can contact the Ekran System Support team to request a temporary emergency password.

NOTE: The "Enable secondary authentication on login" option cannot be enabled at the same time as "Allow the use of one-time passwords" option.

NOTE: In some situations (e.g. after a forced restart), the EkranClient service will not start for approximately one minute while the computer is starting up, during which time, secondary user authentication will not work.