Once your tokens are added to Active Directory, you can assign them to users.
To assign tokens to users
- Open Active Directory Users and Computers.
- Under the Defender node, open Tokens.
- Double-click a token that you created in the previous section.
- On the Token tab, click Assign.
- Select the desired user and click OK.
- Click OK to save your changes to the token.
- Repeat for each user.
Configuring Safeguard Authentication Services
You may either configure Safeguard Authentication Services to integrate with Defender using Group Policy or manually. One Identity recommends you use Group Policy.
Safeguard Authentication Services relies on Group Policy for managing the configuration of options and features. To enable one-time password support for Safeguard Authentication Services through Defender you must modify a Group Policy setting. This setting allows you to turn pam_defender configuration on or off and also allows you to select which services (login applications) you want it to support. It gathers the rest of the one-time password configuration information it needs on the Unix or Linux machine from the access node and other Defender objects in Active Directory. This Group Policy can only apply to machines running Safeguard Authentication Services that have pam_defender installed. Also, if it can not find an access node that applies to the machine, it makes no configuration changes.
To enable one-time password authentication for Unix
- In the Group Policy Object Editor, navigate to Unix Settings | Quest Defender.
- Double-click the Defender Settings policy in the right-hand pane.
- Click Enable Defender PAM authentication.
Configure Defender to require a one-time password for specific login services, or all login services.
A login service is any process that authenticates a user to a Unix host. You configure login services for PAM in the pam.conf file. By default, sshd and ssh are automatically configured since this is the most typical scenario. You can specify additional services. The name of the service must correspond to the service name in PAM.conf. On some platforms the service names may differ, in that case, specify all service names for all platforms where you have installed Defender.
- To prompt for a one-time password for all services, select Require Defender PAM authentication for all services.
- Click OK to save your settings and close the Defender Settings Properties dialog.