What you need for each authentication mechanism

The following table lists the authentication mechanism and the associated Active Directory, LDAP, and Centrify Directory account properties that must be set correctly. If a property is not set correctly, the user may not be able to log in.

Authentication mechanism Required user account property Active Directory/LDAP
Properties tab
Centrify Directory
Profile property

Password

Login Name and Suffix

User logon name on the Account tab

NA

Mobile Authenticator

Registered device

Not applicable

Not applicable

Phone call

Mobile phone number

Open the Telephones tab and set the Mobile field

Set the Mobile Number field

Text message (SMS) confirmation code

Mobile phone number

Open the Telephones tab and set the Mobile field

Set the Mobile Number field

Email confirmation code

Any valid email address

Open the General tab and set the E-mail field

Set the Email address field

Security question(s)

NA

NA

NA

OATH OTP client

NA

NA

NA

Before you enable a specific authentication factor, confirm that each account has current contact information or a currently registered—and make account changes a day before you enable the authentication policy for the accounts. If the information needed for a user’s authentication is not current in Privileged Access Service, the user will not be able to log in.

If you need to modify a user’s Active Directory or LDAP account, any changes you make are not immediately updated in Privileged Access Service. For example, it can take up to 24 hours for changes made in Active Directory Users and Computers to be incorporated into the Privileged Access Service.

By contrast, updates made to Centrify Directory accounts go into effect immediately.

Note:   Users can set their Active Directory or LDAP account’s mobile phone number from the profile tab. When users change their Active Directory or LDAP account’s mobile phone number using the Admin Portal, the change goes into effect immediately.