What you need for each authentication mechanism
The following table lists the authentication mechanism and the associated Active Directory, LDAP, and Centrify Directory account properties that must be set correctly. If a property is not set correctly, the user may not be able to log in.
Authentication mechanism | Required user account property | Active Directory/LDAP Properties tab |
Centrify Directory
Profile property |
Password |
Login Name and Suffix |
User logon name on the Account tab |
NA |
Mobile Authenticator |
Registered device |
Not applicable |
Not applicable |
Phone call |
Mobile phone number |
Open the Telephones tab and set the Mobile field |
Set the Mobile Number field |
Text message (SMS) confirmation code |
Mobile phone number |
Open the Telephones tab and set the Mobile field |
Set the Mobile Number field |
Email confirmation code |
Any valid email address |
Open the General tab and set the E-mail field |
Set the Email address field |
Security question(s) |
NA |
NA |
NA |
OATH OTP client |
NA |
NA |
NA |
Before you enable a specific authentication factor, confirm that each account has current contact information or a currently registered—and make account changes a day before you enable the authentication policy for the accounts. If the information needed for a user’s authentication is not current in Privileged Access Service, the user will not be able to log in.
If you need to modify a user’s Active Directory or LDAP account, any changes you make are not immediately updated in Privileged Access Service. For example, it can take up to 24 hours for changes made in Active Directory Users and Computers to be incorporated into the Privileged Access Service.
By contrast, updates made to Centrify Directory accounts go into effect immediately.
Note: Users can set their Active Directory or LDAP account’s mobile phone number from the profile tab. When users change their Active Directory or LDAP account’s mobile phone number using the Admin Portal, the change goes into effect immediately.