Prerequisites
Before beginning the installation you must:
-
Have administrative privileges on the target Windows machine.
-
Download the Enterprise Connect Windows Workstation Authentication installation file from Backstage.
You must have a Backstage account and be logged in to view the download.
-
Create a service account user for the Enterprise Connect Windows RADIUS proxy to run as. The minimum account privileges this user needs are:
-
Enable Log on as a service. For more information, learn more in Microsoft’s documentation.
-
Write permission to C:\windows\system32 to have access to create the
logsfolder. -
Write permission to C:\Windows\System32\logs folder.
-
-
Pre-configure journeys and services, as described in Create authentication journey(s).
-
Ensure all usernames (profiles/accounts) match from Windows (or the authoritative source) > Ping and vice versa.
-
Set up a connector from Ping Identity to the datastore (for example, AD) and sync the data.
-
-
For push and OTP (TOTP/OATH) authenticator methods, users pre-register in the appropriate journeys.
It’s crucial for users to pre-register. Otherwise, these MFA methods won’t work through the RADIUS proxy.
Your RADIUS client must support the exchange of the TOTPs from Ping Identity journey > RADIUS proxy > RADIUS client and conversely to work. This includes handling challenge-response flows. If your client can’t handle the calls, use the push method instead.
-
Users install the ForgeRock Authenticator application to their smartphone using the Apple store or Google Play store.
-
For high availability or disaster recovery, you should deploy the necessary amount of Enterprise Connect Windows Workstation Authentication behind load balancers. Additionally, only one instance per machine is allowed.