Enabling Secondary User Authentication on Windows Clients

Secondary user authentication can only be enabled while editing a Client or editing a Client group.

To enable secondary user authentication for a Client (or for all the Clients in a Client group), do the following:

1. Log in to the Management Tool as a user with the Client Configuration Management permission.

2. Click the Client Management navigation link on the left.

3. On the Client Management page, find the Windows Client which you want to enable secondary user authentication for, and click on its name in the Client Name column (or select the Client Groups tab and find the required Client group, and then click on its name in the Client Group Name column).

NOTE: To find specific Clients, the search box and filters at the top of the Client Management page can be used (or to find specific Client groups, the search box at the top of the Client Groups page can be used).

4. On the Editing Client (or Editing Client Group) page that opens, select the Authentication Options tab, and in the Two-Factor and Secondary Authentication section, select the Enable secondary user authentication on login checkbox.

5. Optionally, select the Allow the use of one-time passwords checkbox, and then select the names of Management Tool users in the Users Who Can Approve Access drop-down list below it for user requests for one-time passwords to be sent to the specified user names (i.e. Approvers) for access approval.

NOTE: Several email addresses can be entered, separated by semicolons.

NOTE: The use of one-time passwords for internal users cannot be enabled at the same time as secondary user authentication is enabled.


6. Click the Finish button in the bottom right to save the changes.

7. If the Client is (or Clients in the Clients group are) installed on Windows Server 2003, the computer must be restarted after enabling or disabling the secondary user authentication option. On other versions of Windows, the secondary user authentication option is enabled immediately.