ADSelfService Plus assists administrators in improving Windows logon security by supporting two-factor authentication. Once this feature is enabled, users will be required to authenticate using any one of the logon TFA methods of ADSelfService Plus in addition to entering their Active Directory domain credentials during Windows logon.
SSL must be enabled: Log in to ADSelfService Plus web-console with admin credentials. Navigate to Configuration → Multi-factor Authentication → Authenticator Settings tab → TFA for Windows/macOS Login section. Click the Enable SSL (https) link. Select the Enable SSL Port checkbox and click Save. Restart ADSelfService Plus.
TFA must be enabled: Back in the Authenticator Settings screen, click Enable authenticators for Windows/macOS login and configure any one of the authentication methods provided. Click OK.
GINA/CP Client Software must be installed on client machines. Make sure the client software is installed through GINA/Mac Installation console (Configuration → Administrative Tools → GINA/Mac (Ctrl + Alt + Del) → GINA/Mac Installation) available in ADSelfService Plus. Windows/macOS Logon TFA will not be supported on machines with client software installed manually, through GPO, or using any other method.
Steps to be followed to enable two-factor authentication during Windows logons:
Log in to the ADSelfService Plus web-console with admin credentials.
Navigate to Configuration → Multi-factor Authentication → Authenticator Settings tab → TFA for Windows/macOS Login.
In the Choose the Policy field, click the drop-down box and select the policies for which you wish to enable TFA.
ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
Select the Enable authenticators for Windows/macOS login option, and configure any one of the authentication factor provided.
By default, the Bypass TFA if ADSelfService Plus is down option is selected when you enable Windows/macOS Logon TFA. If this option is not selected, users would not be able to access their machines when ADSelfService Plus is not accessible.
Any alterations made in the Windows Logon TFA feature should be followed by scheduling the GINA/Mac Installation scheduler or the GINA/Mac Customization scheduler.