Windows Logon Agent – Domain/Workgroup Authentication

Leave a Comment / Thales / By

Windows Logon Agent – Domain/Workgroup Authentication

Windows Logon Agent – Domain/Workgroup Authentication

This section describes the user authentication journey for the Windows Logon Agent (WLA) in Domain/Workgroup environments, as well as the SkipOtpOnUnlock feature.

User Authentication Journey

The following diagram illustrates the typical authentication workflow for a domain or workgroup user when logging into a Windows workstation protected by the Windows Logon Agent (WLA):

Windows Logon Agent – Domain/Workgroup Authentication

Authentication Steps

  1. Logon Request Initiated
    A domain or workgroup user initiates a logon request at their Windows workstation.
  2. MFA/Second Factor Validation
    The WLA prompts the user to validate their identity using multi-factor authentication (MFA) or a second factor, as configured. The WLA communicates with SafeNet Trusted Access (STA) to enforce configured access policies and perform authentication.
  3. Microsoft Credentials Validation
    Upon successful MFA, the user is prompted to provide their Microsoft (Active Directory or local) credentials, validated either by:
    • The Active Directory (for domain users), or
    • The user’s workstation (for local/workgroup users).
  4. Access Granted
    Once authentication is successful, the user is logged into the domain or workstation and can access their desktop environment.

SkipOtpOnUnlock Feature

The SkipOtpOnUnlock feature enhances user convenience without compromising security. When enabled, it suppresses OTP or second-factor prompts during workstation unlock if MFA was already completed at logon.

How It Works

  • Initial Logon: Users complete MFA/second-factor authentication.
  • Unlock Scenario: Users are not prompted for OTP or second factor on unlock—only Microsoft credentials are needed.

Feature Benefits

  • Reduces authentication friction for frequent workstation lock/unlock cycles.
  • Keeps strong security at logon while easing daily operations.
  • Improves user experience in secure environments.

Configuration

  1. Open the WLA configuration tool.
  2. Go to the Authentication Policy section.
  3. Set SkipOtpOnUnlock to true or false as needed.
  4. Save and apply configuration.
[Authentication]
SkipOtpOnUnlock=true
Note: Applies only to unlock actions after a successful MFA logon.

Related Documentation

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Disabled !