®

RSA Authentication Agent 2.0.3

for Microsoft® AD FS
Group Policy Object Template Guide
Contact Information

RSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and
provides solutions to known problems, product documentation, community discussions, and case management.

Trademarks

Dell, RSA, the RSA Logo, EMC and other trademarks, are trademarks of Dell Inc. or its subsidiaries. Other
trademarks may be trademarks of their respective owners. For a list of RSA trademarks, go to
www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement

This software and the associated documentation are proprietary and confidential to Dell Inc. or its subsidiaries
are furnished under license, and may be used and copied only in accordance with the terms of such license and
with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof,
may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby
transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to
civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by Dell Inc.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements
applicable to third-party software in this product may be viewed on the product documentation page on RSA
Link. By using this product, a user of this product agrees to be fully bound by terms of the license agreements.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export
of encryption technologies, and current use, import, and export regulations should be followed when using,
importing or exporting this product.

Distribution

Use, copying, and distribution of any Dell software described in this publication requires an applicable software
license.

Dell Inc. believes the information in this publication is accurate as of its publication date. The information is
subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." DELL INC. MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

©
Copyright 2007-2020 Dell Inc. or its subsidaries. All Rights Reserved.

July 2020
 RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

Contents

Preface 5

Audience 5

Support and Service 5

RSA Ready Partner Program 5

Chapter 1: Group Policy Object Templates 7

Group Policy Object Templates 8

Template Files 8

Template Policies 8

Policy Settings 9

Chapter 2: Deploying Group Policy Object Templates 11

Prepare to Deploy the RSA Group Policy Object Templates 12

Installing the RSA Group Policy Object Templates 12

Install the Templates on a Windows Server Domain Controller 12

Install the Templates on a Windows Server AD FS Server 13

Configuring the Policy Settings 13

Configure Policy Settings on a Windows Server Domain Controller 13

Apply the Policy Settings to Computers in a Domain 14

Configure Policy Settings on a Windows Server AD FS Server 14

Changing GPO Policy Settings 15

3
 RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

Preface

Audience

This guide is for network and system administrators who deploy, configue, and manage RSA Authentication
Agent for Microsoft AD FS.

The document assumes you have experience using Microsoft Active Directory® Federation Services (AD FS) for
Windows Server ® . It also assumes you have experience with RSA Authentication Manager or the Cloud
Authentication Service, or you are working with an administrator for those products.

Support and Service

You can access community and support information on RSA Link at https://community.rsa.com. RSA Link
contains a knowledgebase that answers common questions and provides solutions to known problems, product
documentation, community discussions, and case management.

RSA Ready Partner Program

The RSA Ready Partner Program website at www.rsaready.com provides information about third-party hardware
and software products that have been certified to work with RSA products. The website includes
Implementation Guides with step-by-step instructions and other information on how RSA products work with
third-party products.

Preface 5
 RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

Chapter 1: Group Policy Object Templates

Group Policy Object Templates 8

Template Files 8

Template Policies 8

Policy Settings 9

Chapter 1: Group Policy Object Templates 7

RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

Group Policy Object Templates

RSA Group Policy Object (GPO) templates allow you to manage Authentication Agent for AD FS. The templates
are part of the Authentication Agent for AD FS software kit.

The RSA GPO templates contain policy settings that you can apply to the appropriate computers. For example,
you can install the templates on a domain controller and configure the policy settings using Group Policy
Management and the Group Policy Management Editor. You can then specify the computers or groups of
computers to which the policy settings will apply.

Alternately, if you want to manage the policy settings on AD FS servers separately, you can install the templates
on those servers and configure them individually using the Local Group Policy Editor. The GPO templates are
installed when you install Authentication Agent for AD FS.

Once a policy template is installed, you can configure the policy settings it contains. If you change the policy
settings, the new settings override any previous settings. In domain environments, all computers wait for
specified refresh intervals before updating their settings. When installed and configured locally on individual
servers, the settings apply immediately. The settings defined by the RSA policies are written to the Windows ®
registry under HKEY_LOCAL_MACHINE\Software\Policies\RSA.

Template Files

The RSA GPO template files come with the agent, but you can also download them separately through the product
page on RSA Link at https://community.rsa.com. You can install the following template files to manage
Authentication Agent for AD FS.

GPO Template File English Language Resource File

RSAPresentationSettingsADFSv2.admx RSAPresentationSettingsADFSv2.adml
RSAServerSettingsADFSv2.admx RSAServerSettingsADFSv2.adml

Each template is paired with a corresponding English language resource file. You must install all four files for
the templates to work properly.

Template Policies

The RSA GPO templates contain policy settings that allow you to customize behaviors for Authentication Agent
for AD FS. Here are the policy settings for the agent:

l Custom message text for RSA authentication page. The text you enter here appears near the
bottom of the Authentication Agent for AD FS authentication page, above the logo and copyright
information. If this policy setting is disabled or not configured, the agent does not display message text.

l Custom logo for RSA authentication page. The image you specify here appears between the
custom text and the copyright information on the Authentication Agent for AD FS authentication page.
The image must be saved to C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA
Adapter\images on the AD FS server, and the AD FS administrator account must have read and execute
access to this folder. If this policy setting is disabled or not configured, the agent displays the RSA

8 Chapter 1: Group Policy Object Templates

 RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

SecurID logo.

l Custom copyright information for RSA authentication page. The text you enter here appears at
the bottom of the Authentication Agent for AD FS authentication page, below the logo and custom text. If
this policy setting is disabled or not configured, the agent displays Dell copyright information.

l AD FS username format sent to Authentication Manager. This policy setting has three mutually
exclusive options:

Policy
Setting Option Behavior
Options
The agent sends a simple user name such as jjones1 to RSA Authentication Manager or the
User name
Cloud Authentication Service.
Security
The agent sends a SAM-formatted account user name such as finance\jjones1 to RSA
Account
Authentication Manager or the Cloud Authentication Service. This choice replaces the
Manager
deprecated Send Domain policy setting from previous versions of the agent.
(SAM) name
User Principal The agent sends a User Principal Name such as jjones@myco.com to RSA Authentication
Name (UPN) Manager or the Cloud Authentication Service.

If this policy setting is disabled or not configured, only the user name is sent

l Validate the AD FS Authentication Context. This policy setting requires version 2.0.2 or later of
the RSA Authentication Agent for AD FS. By default, RSA performs additional validation on the
Authentication Context the Authentication Agent for AD FS receives from the AD FS server during an
authentication. RSA's additional validation depends on session cookies that are not set when
provisioning a Windows Hello for Business PIN. To allow users to set a Windows Hello for Business PIN,
disable this setting.

Note: When RSA SecurID is used as the primary authentication method on Windows Server 2019, the
policy setting “Validate the AD FS authentication context” must be disabled. For instructions, see the
RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide.

l Proxy server for connections to an RSA authentication server. This policy setting requires
version 2.0.3 or later of the RSA Authentication Agent for AD FS. By default, the agent connects to the
RSA authentication server (RSA Authentication Manager or the Cloud Authentication Service) using the
web proxy configured using the Windows system and user settings. This policy allows you to configure
a different web proxy that the agent uses to connect to the authentication server.

The Server setting must be valid DNS host name. Do not include a protocol prefix.

The 'Port' setting must be a valid IP port number.

Note: Improper web proxy configuration can result in connection failures.

Policy Settings

You configure the policy settings contained in a template by selecting one of the following options:

Not Configured. This is the default setting of an installed template.

Chapter 1: Group Policy Object Templates 9

RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

Enabled. This option activates the template setting.

Disabled. This option deactivates the template setting.

Not Configured is not always the same as Disabled. Not Configured is the default setting. Review each policy
setting carefully.

For information on configuring policy settings contained in a template, see Configuring the Policy Settings on
page 13

10 Chapter 1: Group Policy Object Templates

 RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

Chapter 2: Deploying Group Policy Object Templates

Prepare to Deploy the RSA Group Policy Object Templates 12

Installing the RSA Group Policy Object Templates 12

Configuring the Policy Settings 13

Changing GPO Policy Settings 15

Chapter 2: Deploying Group Policy Object Templates 11

RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

Prepare to Deploy the RSA Group Policy Object Templates

Group Policy is a feature of Microsoft Windows. RSA recommends that before you deploy the RSA GPO templates,
you become familiar with Microsoft Windows Group Policy concepts and best practices. For more information,
search the Microsoft Support website at https://support.microsoft.com/en-us.

If you want to manage the policy settings on AD FS servers separately, you can configure the template settings
on each server individually using the Local Group Policy Editor. For more information, see Install the Templates
on a Windows Server AD FS Server on the facing page and Configure Policy Settings on a Windows Server AD FS
Server on page 14

Installing the RSA Group Policy Object Templates

The RSA GPO templates come with the agent, but you can also download them separately through the product page
on RSA Link at https://community.rsa.com.

If you want to apply the template settings to multiple computers in a domain, see Install the Templates on a Windows
Server Domain Controller below

If you do not want to apply the template settings to all of the computers in the domain, you can apply the policies
to specific computers or groups within the domain. For more information, see Apply the Policy Settings to
Computers in a Domain on page 14

In domain environments, computers wait for specified refresh intervals before updating their settings. When
the refresh process ends, settings associated with the templates are loaded into the Windows registry. The
settings specified in the Group Policy Object templates override the settings configured on individual
computers.

If you want to apply policy settings to computers that are not subject to Group Policy from a domain controller, see
Install the Templates on a Windows Server AD FS Server on the facing page.

Install the Templates on a Windows Server Domain Controller

Install the templates by copying them to the appropriate local directory or shared network location.

If you installed Windows Server in “Server Core” mode instead of “Desktop Experience” mode, you must use the
command line to copy the template files. Refer to the Windows Server documentation for details on using Server
Core mode.

Do one of the following to install the templates on a Windows Server domain controller:

l Copy the complete contents of the RSA_Authentication_Agent_ADFS_GPO.zip package to

C:\Windows\PolicyDefinitions on the domain controller, preserving the existing subfolder
structure.
l Copy the complete contents of the RSA_Authentication_Agent_ADFS_GPO.zip package to the
following shared network location on the domain controller, preserving the existing subfolder structure:

\\<domain_name>\SYSVOL\<domain_name>\Policies\PolicyDefinitions

12 Chapter 2: Deploying Group Policy Object Templates

 RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

where <domain_name> is the name of the domain containing the AD FS servers where the policy
settings will apply.

Note: Create the PolicyDefinitions folder if it does not already exist.

The RSA GPO templates are installed in the default Not Configured state, and additional steps are required to
configure the settings and apply them to a domain policy. For more information about configuring the settings,
see Configure Policy Settings on a Windows Server Domain Controller below

Install the Templates on a Windows Server AD FS Server

Typically, you do not need to install the templates on an AD FS server where Authentication Agent for AD FS is
installed, because the agent installer installs them. You may need to install the templates if you delete them.

To install the templates on an AD FS server, copy the complete contents of the RSA_Authentication_Agent_
ADFS_GPO.zip package to C:\Windows\PolicyDefinitions on the AD FS server, preserving the existing
subfolder structure.

The RSA GPO templates are installed in the default Not Configured state, and additional steps are required to
configure the settings and apply them to the local policy. For more information about configuring the settings,
see Configure Policy Settings on a Windows Server AD FS Server on the next page

Configuring the Policy Settings

This section describes how to access and configure the GPO policy settings on a domain controller or AD FS
server.

Make sure that the templates are installed. For more information, see Installing the RSA Group Policy Object
Templates on the previous page

Configure Policy Settings on a Windows Server Domain Controller

Perform this procedure to access the RSA GPO policies and configure their settings.

Procedure
1. Click Start > Administrative Tools > Group Policy Management.
2. If necessary, double-click the domain name in the left-hand frame to expand it.
3. If necessary, double-click Group Policy Objects to expand it.
4. (Optional) If you need to create a new policy, do the following:
a. Right-click Group Policy Objects and select New.
b. Type a name for your policy in the Name field.
c. Click OK.

5. Right-click the policy you want to edit, for example, Default Domain Policy, and click Edit.
6. Double-click Computer Configuration.
7. Double-click Policies.
8. Double-click Administrative Templates.
9. Double-click RSA AD FS V2.
10. Double-click Local Authentication Settings.
11. Double-click the policy setting you want to edit in the right-hand pane.

Chapter 2: Deploying Group Policy Object Templates 13

RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

12. Configure options for the policy setting as appropriate.

13. Click OK.
14. Close the Group Policy Management Editor.

After you finish

Additional steps may be required to apply the policy settings to computers or groups in the domain. For more
information, see Apply the Policy Settings to Computers in a Domain below

Apply the Policy Settings to Computers in a Domain

After you install the GPO templates and configure the policy settings on a Windows Server domain controller,
you must specify the computers or groups to which the policies will apply.

Procedure
1. Click Start > Administrative Tools > Group Policy Management.
2. If necessary, double-click the domain name in the left-hand frame to expand it.
3. If necessary, double-click Group Policy Objects to expand it.
4. Click the name of the policy object you want to edit to select it.
5. In the Security Filtering section, under the Scope tab in the right-hand frame, click Add....
6. Click Object Types... and place a check in the box marked Computers.
7. Click OK.
8. In the field labeled Enter the object name to select:, type all or part of the computer or group name
to which you want to apply the policy.
9. Click OK. If the Multiple Names Found dialog box appears, select the appropriate computer or group
from the list, and click OK.
10. Repeat Step 5 through Step 9 as required, until you have specified all computers or groups to which the
policy object should apply.
11. (Optional) If you need to link the policy object to a domain or organizational unit, do the following:
a. In the left-hand frame, right-click the domain or organization unit and select Link an existing
GPO....
b. Select the policy from the Group Policy objects list.
c. Click OK.

12. Close the Group Policy Management window.

Note: RSA recommends enforcing the policy on the domain controller. Otherwise, users with administrator
privileges can change the settings by editing them locally. For more information, go to the Windows Server
Group Policy page in the Microsoft Support Knowledge Base at http://www.microsoft.com/grouppolicy/.

Configure Policy Settings on a Windows Server AD FS Server

Perform this procedure to access the RSA GPO policies and configure their settings.

Procedure
1. Click Start.
2. Search for gpedit.msc and press Enter.
3. Double-click Computer Configuration.

14 Chapter 2: Deploying Group Policy Object Templates

 RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide

4. Double-click Administrative Templates.

5. Double-click RSA AD FS V2.
6. Double-click Local Authentication Settings.
7. Double-click the policy setting you want to edit in the right-hand pane.
8. Configure options for the policy setting as appropriate.
9. Click OK.
10. Close the Local Group Policy Editor.

Changing GPO Policy Settings

The GPO policy settings are read when the Agent for AD FS is registered with AD FS. You must re-register the
agent after you change a GPO policy setting.

Procedure
1. Unregister and register Agent for AD FS.
2. Restart the Active Directory Federation Services (adfssrv) on every AD FS server in the server farm.

For more information, see the RSA Authentication Agent 2.0 for Microsoft AD FS Administrator's Guide on RSA
Link: https://community.rsa.com/community/products/securid/authentication-agent-adfs.

Chapter 2: Deploying Group Policy Object Templates 15