Prerequisites
Before beginning the installation you must:
-
Have administrative privileges on the target Windows machine.
-
Obtain the Windows Workstation Authentication installation file from Backstage.
You must have a Backstage account and be logged in to view the download.
-
Create a service account user for the Windows RADIUS proxy to run as. The minimum account privileges this user needs are:
-
Enable Log on as a service. For more information, refer to Microsoft’s documentation.
-
Write permission to C:\windows\system32 to have access to create the
logsfolder. -
Write permission to C:\Windows\System32\logs folder.
-
-
Pre-configure journeys and services, as described in Create authentication journey(s).
-
Ensure all usernames (profiles/accounts) match from Windows (or the authoritative source) > ForgeRock and vice versa.
-
Set up a connector from ForgeRock to the datastore (for example, AD) and sync the data.
-
-
For push and OTP (TOTP/OATH) authenticator methods, users pre-register in the appropriate journeys.
It is crucial for users to pre-register; otherwise, these MFA methods will not work through the RADIUS proxy.
Your RADIUS client must support the exchange of the TOTPs from ForgeRock journey > RADIUS proxy > RADIUS client and conversely to work. This includes handling challenge-response flows. If your client cannot handle the calls, use the push method instead.
-
Users install the ForgeRock Authenticator application to their smartphone via the Apple store or Google Play store.
-
For high availability/disaster recovery, it is recommended to deploy the necessary amount of Windows Workstation Authentication behind load balancers. Additionally, only one instance per machine is allowed.