Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7047: Apps which require "Strong Authentication" do not prompt users for MFA Challenge when launched

Centrify Identity Service, App Edition ,   Centrify Identity Service, App Plus ,  

26 September,16 at 01:44 PM

Problem:

After configuring  Apps to "Require Strong Authentication", users are still not challenged with their Multi Factor Authentication (MFA)  challenges and are able to directly log in to the app, despite the authentication profile being configured to require 2 challenges.

          User-added image      



Cause:

The reason the user is not challenged with MFA, is because the user has already “Strongly Authenticated” (indicated by a * next to the username in the upper right corner.)

            User-added image

Because the user is already considered “Strongly Authenticated” they are not challenged a second time. This can be caused by various conditions in the policy, and authentication profiles as well as network location, however the 2 most common scenarios are below;


Scenario 1- Policy is in place which requires Strong Authentication to the User portal. This can be confirmed by first finding the user in the User list, and then review the Policy Summary for the user. Here, we should see under "Login Authentication" section, near the "Login authentication" portion of the policy summary and find the Authentication profile in use in the "Value" column. Next, under Settings>>Authentication>>Authentication Profiles find the profile and confirm the profile has a second challenge which deems it as a "Strong  Authentication" (2 challenges in Authentication Profile).

User-added image            User-added image

Scenario 2- IWA silent authentication is in use, and the policy applied to the user for "Login authentication" has the option select for "Accept IWA connections as strongly authenticated for application policies" checked under the "Allow IWA connections (bypasses login authentication rules and default profile)" section of the policy. This can be confirmed by first finding the user in the Users list, and then review the Policy Summary for the user. Here, we should see under "Login Authentication" section this setting is configured to "Yes."


User-added image

 

Workaround:

There are no workarounds, as this is expected behavior.



Solution: 

Although the policy is working as expected, if it is required that a User first be challenged by MFA before an app can be launched, the Administrator will need to remove the requirement/ setting which provides the User “Strong Authentication” while logging in.
 
Depending on the scenario as indicated above under "Causes" section, please use the following to fix the issue;
 
Scenario 1-  If the user has a policy in use for “Log in Authentication” which provides MFA challenges for log in ,then this will be considered a “Strongly Authenticated” log in.  To also require a Multi Factored log in for App launches, one of the challenges will need to be removed from the “Log in Authentication.” This can be updated by editing the authentication profile associated with the policy that has this configuration to only require 1 challenge when logging in. It is a good idea to update the name of the Authentication Profile if needed to reflect the new configuration as well. The example above would be changed to the following;

User-added image
 
 
Scenario 2- More commonly, the policy which is applied to the User has the option under “Log in Authentication” for “Accept IWA connections as strongly authenticated for application policies” and the User has authenticated using IWA silent authentication. Uncheck this option in the applied Policy for the User(s). The applied policy is found in the User Policy Summary under the corresponding setting in the column called "Policy Name"

User-added image

      User-added image


Under both scenarios. once these options are removed, the user should be presented with an MFA challenge when launching apps which will now show a lock in the corner, indicating that additional authentication is needed. 



For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.