Secondary User Authentication on Windows Clients


If the Client is installed on a computer running the Windows operating system, and if several users may use the same account to log in to this computer, it is important to also identify the individual person using the account.

Identification of the individual can be performed by means of secondary user authentication, which requires the user to enter additional credentials in a pop-up window after logging in.

If secondary user authentication is enabled, the user will be prompted to enter the credentials of an Ekran System user who has the Access to Endpoint via Secondary Auth. permission.

This secondary login will then be displayed in the Client Sessions list, in brackets next to the primary login under which the user is logged in to Windows.


Secondary user authentication only works if there is a connection between the Client computer and the Application Server computer.

In case there is no connection with the Application Server computer (i.e. the Application Server is unavailable), the pop-up window for entering the secondary credentials will not be displayed.


NOTE: The use of one-time passwords for internal users cannot be enabled at the same time as secondary user authentication is enabled.

NOTE: In some situations (e.g. after a forced restart), the EkranClient service will not start for approximately one minute while the computer is starting up. During this time, secondary authentication will not work.