By default, the Defender Management Portal is configured to use form-based authentication. As a result, the users need to supply their credentials to sign in to the portal. However, you can enable automatic sign-in for the portal users who are already logged on to the Active Directory domain where the Defender Management Portal is installed.
To enable the automatic sign-in, use IIS Manager to disable anonymous authentication in the Defender Management Portal Web site settings.
To enable automatic sign-in to the portal
With anonymous authentication disabled, when users access the Defender Management Portal, they are automatically signed in with their Windows credentials. When an administrator accesses the Defender Management Portal, the user name and domain name are entered on the sign-in page automatically — only the password is required.
The Defender Management Portal provides a self-service Web site to users. This site is called the Defender Self-Service Portal. On the Defender Self-Service Portal, users can register their hardware tokens and request, download, and activate software tokens without the need to contact system administrator.
When you sign in to the Defender Management Portal as a portal administrator, you can configure all of the Defender Self-Service Portal settings. For example, you can set up a list of users who are allowed to request software tokens and register hardware tokens via the Defender Self-Service Portal, choose the tokens that users can request or register, select a method for verifying users who request or register tokens, select a method for delivering token activation information to the users, and more.
To configure self-service
For more information, see Opening the portal.
Use the Permissions area to set up a list of Active Directory groups whose members are allowed to request software tokens and register hardware tokens on the Defender Self-Service Portal. For each group added to the list, you can select the security tokens the members of that group can request or register.
In the Permissions area, you can use the following elements:
Use the Token storage in Active Directory area to configure settings for storing token objects in Active Directory.
In the Token storage in Active Directory area, you can use the following elements:
Use the URLs for users area to view the self-service URLs at which users can request software tokens and register hardware tokens. You can provide the URLs listed on this page to the users as necessary.
In the User verification settings area, from the Deliver verification code to users via list, you can select a method for verifying the identity of users who request software tokens on the Defender Self-Service Portal.
Enabling user verification provides additional protection against unauthorized token requests and unsanctioned access to sensitive applications. With user verification enabled, in order to receive the requested software token, the users must verify their identity by entering a verification code provided by Defender. You can configure Defender to provide verification code to the users via an automated phone call, in an SMS message, or in an e-mail message.
The following diagram illustrates how user identity verification via e-mail works:
When a user requests a software token on the Defender Self-Service Portal, Defender sends an e-mail message to the user containing a verification code and link. To send the e-mail message, Defender uses the e-mail address specified for the user in the mail attribute in Active Directory.
To verify their identity and receive the requested software token, the user must either click the verification link in the e-mail message or enter verification code on the Defender Self-Service Portal.
The verification link and code provided in an e-mail message increase the security because they
You can select one of the following verification methods:
The E-mail message subject text box allows you to view and modify the default subject of the e-mail messages containing the verification link and code.
The Verification code remains valid for (minutes) text box allows you to view and change the default period during which the verification link and code remain valid.
With this method, Defender uses the TeleSign service. If you select this method, make sure you have a valid account in TeleSign and type your TeleSign customer ID and the REST API Key in the corresponding text boxes. For further details about TeleSign, please go to www.telesign.com.
From the Use selected verification method list, select how the user will receive the verification code. You can select to provide the verification code via an automated phone call, SMS message, or let the user choose one of these delivery methods.
To make an automated phone call or send SMS, Defender can use telephone numbers specified for the user in the following Active Directory attributes: telephoneNumber, homePhone, mobile, pager, and ipPhone. The user will be prompted to select one of these telephone numbers on the Defender Self-Service Portal.
In the Token activation information delivery area, configure e-mail settings to send activation information for software tokens requested via the Defender Self-Service Portal.