Use the SecureAuth IdP Credential Provider to protect Windows Desktops and Servers with an additional 2-Factor Authentication module.
Companies and organizations use the SecureAuth IdP Credential Provider to enhance typical Windows Logon functions by adding a 2-Factor Authentication requirement to the username and password validation.
SecureAuth IdP Credential Provider supports usage of the following features:
OATH OTP Multi-Factor Authentication method provided by a SecureAuth mobile, desktop, or browser app, or a third-party hardware token
online and offline mode
Logon and Unlock Windows functions
2-Factor Bypass List of user groups (e.g. Admins) permitted to log on without providing the second factor (OTP)
This version of the Credential Provider also supports Multi-user Mode for terminal server / RDSH – by defaulting the user ID field to blank rather than another user's information – to ensure security for multiple users logging on the same machine.
If using SecureAuth IdP version 9.0.2, then add the following app setting to the web.config:
<add key="CpValidateOTP" value="False" />
Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes
The SecureAuth Credential Provider installer supports the Wizard install mode and silent mode installation
1. Contact SecureAuth Support to obtain the latest SecureAuth Credential Provider installer
SecureAuth IdP Credential Provider Setup Wizard
2. Open the .msi file, which prompts the SecureAuth IdP Credential Provider Setup Wizard
3. Once the Wizard initiates, click Next to continue the installation
2-Factor Bypass Option
4. Set the IdP Web Service URL to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the SecureAuth App Enrollment Realm name, and /webservice/profilews.svc, e.g. https://secureauth.company.com/secureauth998/webservice/profilews.svc
5. Provide a list of user group(s) that are allowed to bypass 2-Factor Authentication for login, or leave blank to require 2-Factor for all users
The users belonging to the groups listed are not be required to authenticate to log into desktops / servers
Nested groups are not supported
Groups able to bypass authentication must be an AD "Security Group"
6. Click Next
7. Click Next to confirm the installation
8. Wait for the Credential Provider to install
9. Click Close to complete the installation
The silent mode is intended for enterprise administrators who leverage software distribution tools or group policies for MSI distribution / installation
2. Open a Command Prompt with the privileges to execute the installer and type in the following:
Replace msi-path with the actual path of the file, e.g. C:\users\admin\downloads
Check the .msi Filename for accuracy, and ensure that the filename matches the .msi file downloaded before proceeding (e.g. 64-bit or 32-bit)
Troubleshooting / Common Issues
If additional OTP text box does not display after restart
After initial installation, the credential provider may require an extended period of time to display
If the credential provider does not display, then an additional restart may be required
Error Messages and What They Mean
An internal system error occurred - please contact your system administrator: This typically indicates that something has been misconfigured, or a component is not registered or is missing. It could also mean that a catastrophic error has occurred, such as a memory allocation error or a disk full situation that needs the attention of an administrator. Uninstall and reinstall is recommended.
Invalid Username, Password, or One-Time Password: This typically indicates that either the incorrect credentials were entered or that the user did not perform the initial logon when on the domain. The client computer must be able to reach the SecureAuth IdP appliance and the domain for the initial logon so that the seed values can be cached in the registry and so that the computer can be used offline.
An invalid username was entered - please try again: This indicates that the username could not be parsed due to invalid syntax (e..g,, "\", "\username", "domain\").
March 14, 2016
Terminal server / RDSH support (multi-user mode)
Update method and location used to store configuration data in registry
New option to suppress last login user ID in user ID field for multi-server workstations or servers (Silent Mode only)
Preserve bypass group and URL on upgrade
Feature to not display Last User Login (Silent Mode only)