Prerequisites
Before beginning installation, verify that:
-
Workstations support TPM version 2.0.
-
You decide if the Windows workstation will be domain-joined or standalone. Windows Workstation Authentication supports both.
Ensure all usernames (profiles/accounts) match from Windows (or the authoritative source) > ForgeRock and vice versa.
Set up a connector from ForgeRock to the datastore (for example, AD) and sync the data.
Credentials entered are always verified against the local Windows machine (or AD if configured). You can configure the credentials (via the Use credentials setting) to be validated against ForgeRock as well.
-
End users install the ForgeRock Authenticator application.
-
Establish connectivity between the ForgeRock environment and the end user’s Windows workstations.
Communication with the ForgeRock environment is crucial for Windows Workstation Authentication to function properly. Adjust your network settings appropriately.
-
Pre-configure journeys and services, as described in Create authentication journey(s).
-
End users must pre-register in the appropriate journey, if the push MFA method is an option the organization desires.
It is crucial for users to pre-register for push notifications, otherwise, this authentication method will not work on Windows login.
-
For HOTP journeys using out-of-band (OOB) channels, such as SMS, email, or voice call, the user profile in ForgeRock must have their phone number and email populated accordingly.
-