Chat now with support
Chat with Support

Defender 6.6 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Enabling/Disabling FIDO2 token

FIDO2 tokens are enabled by default if assigned to user for authentication. If User Does not want to use FIDO2 token, it can be disable/enable with the addition of registry entry mentioned below:

On a computer where Defender Security Server is installed, use Registry Editor to create the following value:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition

Value type: REG_DWORD

Value name: FIDO2ENABLED

Value data: 0 to disable and 1 to enable

See the following sections for instructions on enabling the use of the YubiKey token programmed in one of these modes:

Enabling the use of Microsoft Authenticator

You can allow users to authenticate via Defender by using one-time passwords generated with Microsoft Authenticator.

To enable Microsoft Authenticator for a user

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate nodes to select the container where the user object is located.
  3. In the right pane, double-click the user object, and then click the Defender tab in the dialog box that opens.
  4. Below the Tokens list, click the Program button.
  5. In the Select Token Type step, click to select the Software token option. Click Next.
  6. In the Select Software Token step, click to select the Microsoft Authenticator option.
  7. Complete the wizard to enable Microsoft Authenticator for the user.
  8. For more information about the wizard steps and options, see Defender Token Programming Wizard reference.

Enabling use of OneLogin Authenticator

You can get an activation code either from your system administrator or through a dedicated self-service Web site if it exists in your organization. The self-service Web site is called the Defender Self-Service Portal and it allows you to download and install software tokens, obtain activation code for software tokens, and register hardware tokens.

To enable OneLogin Authenticator for a user

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate nodes to select the container where the user object is located.
  3. In the right pane, double-click the user object, and then click the Defender tab in the dialog box that opens.
  4. Below the Tokens list, click the Program button.
  5. In the Select Token Type step, click to select the Software token option.
  6. Click Next.
  7. In the Select Software Token step, click to select the OneLogin Authenticator option.
  8. Complete the wizard to enable OneLogin Authenticator for the user.
  9. For more information about the wizard steps and options, see Defender Token Programming Wizard reference.

Enabling use of OneLogin Authenticator for PUSH Notifications

Defender 6.6.0 supports PUSH Notifications authentication using OneLogin protect app in addition to existing Defender Soft Token PUSH notifications.

It is configurable as following.

  1. The method for OneLogin token will remain same through ADUC or management Portal.

  2. User receives activation code only from OneLogin dedicated self-service Portal and allows them to register OneLogin token with OneLogin Protect app.

NOTE:

  • It can be used for authentication in clients named Defender Desktop Login, ISAPI, EAP.
  • It can be programmed through ADUC and the Management portal.
  • PUSH notification to OneLogin Protect will have precedence if both OneLogin token and Defender Soft token are enabled in registry and assigned to User.
  • There is no separate registry entry needed to configure push notifications time out value entry or to disable push notifications value entry. Single registry configuration for Timeout and Disable will work for both push tokens [OneLogin and Defender Soft Token]
  • In case, user has already existing OneLogin token assigned then only second step of activation through OneLogin portal is required.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating