Skip to main content

Login for Windows configuration guide

Updated June 21, 2022

Login for Windows adds multi-factor authentication to the login experience for the Windows desktop and remote server. This endpoint configuration is available in SecureAuth IdP 9.3 and the SecureAuth® Identity Platform release 19.07 or later.

This guide applies to Login for Windows version 21.04 or 22.06

For a summary of release information, see Login for Windows release notes

Disclaimers

Duplicate usernames

The Identity Platform does not currently support duplicate usernames in multiple data stores. Login for Windows will not authenticate end users if their usernames are duplicated across multiple data stores.

Pre-login assessment service

Customers who want to use the pre-login assessment service must create the questionnaire themselves. SecureAuth does not host this document; rather, SecureAuth enables customers to integrate their own questionnaire with the Identity Platform version 19.07+ and Login for Windows version 20.09+.

Non-domain joined devices

Login for Windows does not support non-domain joined devices. Issues pertaining to account synchronization are the responsibility of the customer and not SecureAuth.

If a computer is not domain-joined AND all local users are blocked by Adaptive Authentication OR are not Active Directory (AD) or Azure AD members on SecureAuth Identity Platform, end users receive the following message: "Access is denied for all users on this computer."

samAccountName login support

Login for Windows supports the samAccountName login name format if using Microsoft Active Directory or Azure AD; in this use case, userPrincipalName (UPN) is not supported.

UPN is supported at login if running Login for Windows with a non-AD profile store containing OATHSeed/OATHToken/PNToken. In this use case, samAccountName is not supported, so the multi-factor authentication lookup will fail and the user will be unable to use other multi-factor authentication methods.

Third-party credential providers

With the exception of the Microsoft-provided credential providers, SecureAuth does not support other third-party credential providers installed on the same computer as the Login for Windows credential provider.

Windows 7 and Windows Server 2008

SecureAuth did not certify Windows 7 and Windows Server 2008 with Login for Windows release 20.03+ because Microsoft deprecated both operating systems as end-of-life. Be aware of the following:

  • Login for Windows release 20.03+ works on Windows 7, but SecureAuth does not certify that all features are supported.

  • Only Login for Windows security fixes will be released in the near future.

  • SecureAuth recommends upgrading to an officially supported version of Windows.

Process

To set up Login for Windows in the Identity Platform, the following is an outline of the process.

Task A: Review prerequisites

Before you configure Login for Windows in the Identity Platform, review the prerequisites as an administrator and for your end users.

See the Prerequisites for Login for Windows.

Task B: Configure Identity Platform and Login for Endpoints

Set up the Login for Endpoints configuration in the Identity Platform. This sets up the communication between the Identity Platform and the endpoint for user authentication and access.

See Configure Identity Platform and Login for Endpoints.

Task C: (Optional) Integrate pre-login assessment service

You can optionally add a pre-login questionnaire to determine user risk before allowing login access. For example, ask COVID-19 health questions to determine user risk and allow or block users from onsite access to a work computer.

See Integrate pre-login assessment service.

Task D: Install and upgrade Login for Windows

Download and install or upgrade Login for Windows to the target workstation.

See Install and upgrade Login for Windows. This topic also includes uninstallation information.