The AuthAnvil Manager web interface is used for day-to-day management of your AuthAnvil Two Factor Auth Server. In order for a user to be able to log into the Manager, they must have the "Site Admin" privilege, granted when their user is created or at any time through the "Manage user" page.
- Open http(s)://<ServerName>/AuthAnvil/Manager/
- Enter your username and AuthAnvil passcode. Your passcode is comprised of your PIN and the next One-Time password from your token. ie. 123484449545. If you have a temporary password assigned, you can use that instead.
- If you have more than one site installed into your AuthAnvil Two Factor Auth server, select the Site from the drop down you want to sign into.
- Click the blue arrow button to attempt authentication.
- After completing the authentication, the AuthAnvil Manager's Dashboard appears.
The dashboard gives you a brief overview of the system, including who has tried to log on and how successful they've been, as well as a list of the last 10 logon attempts. The metrics can be set to report for the past 24 hours, past 48 hours, past week, or past month.
Importing and Managing Tokens
To import tokens, click on the Tokens tab. If there are no tokens in the system, it will bring you to the import wizard. Otherwise, mouse over the action menu and click "Import Tokens".
- Click "Browse" to find your token import file, then click "Load File" to load the tokens from it. You can load multiple token import files at once by repeating the procedure.
- Select the tokens that you would like to import from the "Available Tokens" panel, then click "Add Selected Tokens". This will load them into the "Token Import Queue"
- Once you are satisfied with the tokens in the queue, click "Import Tokens" to import them into the system.
To remove a token from the site, simply go to the tokens tab and click on the serial number of an unassigned token. On the "Manage Token" page, hover over the "Actions" menu, click "Delete Token" and confirm the deletion.
NOTE: Only unassigned tokens can be deleted. If you want to delete a token that is currently assigned to a user, you have to unassign it from the user first.
To unassign a token from a user, go to the tokens tab and click on the serial number of an assigned token. On the "Manage User" page, hover over the "Actions" menu, click "Unassign Token" and confirm the token un-assignment.
The AuthAnvil Manager manages site settings under the "Settings" tab. There are 5 Panels that control site settings:
- Token Lockout Threshold: determines how many failures are allowed before a token will be locked out. A value of 0 means that AuthAnvil Two Factor Auth should never lock out the token. A typical value of 3 attempts will allow a user to recover for an input error while preventing an attacker from probing the server in too much depth.
- Token Lockout Duration: determines how long (in minutes) a token will be locked out (disabled) before it can be used again. A value of 0 means that AuthAnvil Two Factor Auth should never unlock the token, requiring an administrator to unlock it manually. A typical value of 15 minutes will allow a user to recover from a failure while preventing an attacker from probing the server in too much depth.
Base URL: defines the first part of the domain URL path string that will be sent in email messages for enrollment. You can use internal domain names if the emails are expected to be within the local network. If you expect enrollments to be also completed externally, you should provide a fully qualified domain name.
Internal example: yourdomain.local
External example: yourdomain.com
- Mail Server: defines where AuthAnvil Two Factor Auth will send email messages for alerts and enrollment requests. This should be a resolvable name or IP address to a working SMTP (mail) server that will allow the AuthAnvil Two Factor Auth server to relay messages. The Test button will attempt to send an email via the mail server to the email address set on this dialog.
- Email Address: This sets the From Address. This field defines who the email will be sent from, such as 'email@example.com'. NOTE: This email address is also the email address that the server will send any administrative emails to, so make sure that it is a mailbox that is checked regularly.
- Use SSL: determines whether or not the server will attempt to use an SSL connection to communicate with the mail server.
Advanced SMTP Settings:
- SMTP Server Requires Authentication: If the mail server does not allow anonymous access, authenticated SMTP is also supported.
- Server Port: The port that the SMTP server is listening on.
- Username: The username of the SMTP user.
- Password: The password for the SMTP user.
Active Directory User Synchronization
- Enable ADUS: Whether or not ADUS accepts synchronization requests from ADUS clients.
- Shared Secret: The shared secret between the ADUS web service and the ADUS clients.
- Advanced ADUS Policies: See the ADUS documentation for more information.
AuthAnvil supports export/backup at a site level, as well as a full server-level backup/export. To export a site, click Actions > Export Site, provide a password, and AuthAnvil will backup the site settings, users, tokens, and logs to the c:Program filesScorpion SoftwareAuthAnvilAuthAnvilSASAdminSiteExportFiles directory on the AuthAnvil server.
To import a site, use the "Site Import" panel in settings. This will overwrite the existing site's information with the information from the site export file.
Single Sign On
If you have the AuthAnvil Single Sign On component installed on an AuthAnvil Two Factor Auth Server that you manage, the AuthAnvil Manager can be configured for Single Sign On. For more information on how to do this, see the Single Sign On Implementation Guide.
Adding new users is done from the Users tab. Just hover over the actions menu and click the type of user that you want to add. AuthAnvil Two Factor Auth supports 3 different types of users:
Description: Usually a single person with an AuthAnvil token. It is recommended that the username matches the Active Directory username. This type of user also supports the use of "Temporary Passwords", which allow the user to log on using a password instead of a token for a limited amount of time.
Usage Scenario: John's office uses the AuthAnvil Windows Logon Agent for protecting their computer logins. When he logs on, John enters his username of John, his network password, and, in the third field, his PIN and the OTP from his token.
Description: A user that has standard users, who are called members, assigned to it. A grouped user allows multiple users to log on using a shared username. This approach can also be used to create aliases for standard users.
Usage Scenario: John's office protects a server with the Windows Logon Agent. The local security policy says that only domain administrators and the user TechAdmin are allowed to log into the servers. TechAdmin is a Grouped User of which John and the other technician are members. When they log on, they enter the username TechAdmin and the network password, followed by the PIN and OTP from their individual token.
Description: A user that is a standard or grouped user on another site. Authentication requests are sent to that site instead.
Usage Scenario: When John is at a client's office, he uses his normal token. That office's AuthAnvil server has John as a proxied user, so his authentication request is sent over to his office instead of to the local AuthAnvil server.
Please see this article for assistance with adding users.
The Auth Logs tab displays the last 250 audit log entries from the AuthAnvil Two Factor Auth database. The full audit logs are available in the "Logs" table in the database. More information on pulling audit reports from the AuthAnvil Two Factor Auth SQL server is available in this article.