Windows group check

OneSpan Authentication Server can use specific Windows groups for authentication when all users are Windows accounts. This Windows group check feature is optional and might be useful in the following scenarios:

The authenticators are deployed in stages. The users are not required to log on using an authenticator until they are put into a Windows group. Users can be placed into the group in manageable stages.
Two-factor authentication is only needed to access sensitive data and that access is granted to a specific group of users, e.g. administrators. This group of users will require authenticators and will be authenticated by OneSpan Authentication Server. Other users are authenticated by another authentication method.
Most users will have authenticators and are allowed to log on to the system, but some users should not be authenticated under any circumstances.
Authentication is needed for live Audit Viewer connections to OneSpan Authentication Server. Windows group checks can be used to limit which users are allowed to connect, for example, to the Domain Admins group.

Nested groups

OneSpan Authentication Server supports nested groups for Windows group checks in the context of Active Directory. For more information about nested groups, refer to the Microsoft documentation.

Enabling nested groups can cause performance issues in OneSpan Authentication Server in the following cases:

There are too many groups in one domain.

Active Directory is not optimally configured. For more information, refer to the Microsoft documentation.

Group check modes

If Windows group check is active, users who are members of one of the defined groups are validated via the full authentication process. You can set the group check mode in the OneSpan Authentication Server policy to control the result for users who are not members of one of the defined groups.

At least one Windows group must be defined in the Windows group list in the relevant policy. Group membership is verified within the user's own domain only. This means that these groups must exist in each domain where users need to be included in a specific group.

If Windows group check is enabled, logon requests will fail if the group check fails. This occurs for users who are unknown to Windows.

The following group check modes are available:

Pass back mode
Reject mode
Back-end mode

Pass back mode

The policy property refers to this mode as Pass requests for users not in listed groups back to host system. In this mode, OneSpan Authentication Server will not handle authentication for users who are not members of any of the listed/defined groups. Instead, these users are handled by the host system, e.g. IIS.

This means that such users neither need an individual user account nor do they need to use an authenticator to log on. As soon as the group check determines that the user is not to be handled, OneSpan Authentication Server stops authentication and returns a respective result (not handled).

This mode is suitable for staged deployment of authenticators and for cases, where only certain users need strong authentication (using authenticators).

Reject mode

The policy property refers to this mode as Reject requests for users not in listed groups. In this mode, OneSpan Authentication Server rejects authentication immediately for users who are not member of any of the defined/listed groups.

This mode is suitable to restrict users who are permitted to log on.

Back-end mode

The policy property refers to this mode as Use only Back-End Authentication for users not in listed groups. This mode can be used if back-end authentication is set up (see Back-end authentication).

In this mode, OneSpan Authentication Server will only use back-end authentication for users who are not members of any of the defined/listed group.

OneSpan Authentication Server will use back-end authentication for the out-of-group users, even if the policy setting for back-end authentication is set to None. With such a policy configuration, the in-group users would be authenticated only by local authentication, while the out-of-group users would be authenticated only by back-end authentication. However, it is necessary to define the Back-End Protocol Policy setting.

If RADIUS back-end authentication is used, authenticating users who are not members of the defined/listed groups is delegated to the RADIUS server. OneSpan Authentication Server will not look up the user account and will skip further local authentication.