What you need for each authentication mechanism

The following table lists the authentication mechanism and the associated Active Directory, LDAP, and Centrify Directory account properties that must be set correctly. If a property is not set correctly, the user may not be able to log in.

Authentication mechanism	Required user account property	Active Directory/LDAP Properties tab	Centrify Directory Profile property
Password	Login Name and Suffix	User logon name on the Account tab	NA
Mobile Authenticator	Registered device	Not applicable	Not applicable
Phone call	Mobile phone number	Open the Telephones tab and set the Mobile field	Set the Mobile Number field
Text message (SMS) confirmation code	Mobile phone number	Open the Telephones tab and set the Mobile field	Set the Mobile Number field
Email confirmation code	Any valid email address	Open the General tab and set the E-mail field	Set the Email address field
Security question(s)	NA	NA	NA
OATH OTP client	NA	NA	NA

Before you enable a specific authentication factor, confirm that each account has current contact information or a currently registered—and make account changes a day before you enable the authentication policy for the accounts. If the information needed for a user’s authentication is not current in Privileged Access Service, the user will not be able to log in.

If you need to modify a user’s Active Directory or LDAP account, any changes you make are not immediately updated in Privileged Access Service. For example, it can take up to 24 hours for changes made in Active Directory Users and Computers to be incorporated into the Privileged Access Service.

By contrast, updates made to Centrify Directory accounts go into effect immediately.

Note:   Users can set their Active Directory or LDAP account’s mobile phone number from the profile tab. When users change their Active Directory or LDAP account’s mobile phone number using the Admin Portal, the change goes into effect immediately.