Ask the Community
Groups
How can we use Just in Time 2FA - Connect IT Community | Kaseya
<main> <article class="userContent"> <p><strong>Just In Time 2FA</strong> allows for selected users to share a particular common username on a short term basis. This feature allows users to use a common username like Administrator or Admin etc. and not tie this to just one users access or token.</p> <p>Example would be if user jsmith needs to log into a Windows Domain administrator account named acmeadmin. </p> <ul><li>We create the <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.zendesk.com%2Fhc%2Fen-gb%2Farticles%2F360034414732" rel="noopener noreferrer nofollow">user</a> acmeadmin. Enable this user for Just In Time 2FA (JIT).</li> <li>We then allow access to the acmeadmin account via an Passly Directory Managre Group.</li> <li>Any member of the Group can reserve the username and will have the exclusive use of the username for the designated duration.</li> </ul><p><strong>Note</strong>: Just In Time 2FA (JIT) is only compatible with using a one time password (OTP) authentication method.</p> <p><strong>Note</strong>: Users must reserve the option to use this JIT enabled account each time they wish to authenticate.<br>The reservation is expired as soon as an authentication is successful.<br></p> <p><strong>Note</strong>: JIT user account must be in the ACTIVE state for the feature to work properly. Setting the account to ACTIVE status will consume a license.</p> <p><strong>Enabling Group access to the common username</strong></p> <ol><li>Administrator will log into your Passly tenant <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%28your">https://(your</a> tenant).my.passly.com</li> <li>Select <strong>Directory Manager</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/JBNXVB7D1KTM/1-png.png" alt="" class="embedImage-img importedEmbed-img"></img></li> <li> <p>Select <strong>Groups<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/ZI5XB0LH9JE4/2-png.png" alt="2.PNG" class="embedImage-img importedEmbed-img"></img><br></strong></p> </li> <li> <p><strong>Select the green plus sign in the bottom right corner. <br></strong><img src="https://us.v-cdn.net/6032361/uploads/migrated/Y1KTDJ9EAIH9/kb2-png.png" alt="kb2.PNG" width="47" height="46" class="embedImage-img importedEmbed-img"></img></p> </li> <li> <p>Name the Group JIT_Username.<br><strong>Note</strong>: Replace Username with the common username you want to allow access to.<br>Example: Administrator or Admin.<br></p> </li> <li> <p>then select <strong>Add Group</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/49AGLPPAQ9RP/d-png.png" alt="" class="embedImage-img importedEmbed-img"></img><br><br></p> </li> <li>Add the desired users to the Group Jit_Username.</li> </ol><p><br><strong>To enable Just In Time 2FA for a common username</strong></p> <ol><li>Administrator will log into your Passly tenant <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%28your">https://(your</a> tenant).my.passly.com</li> <li>Select <strong>Directory Manager</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/JBNXVB7D1KTM/1-png.png" alt="" class="embedImage-img importedEmbed-img"></img></li> <li>Select <strong>Users</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/10X320NYIL39/3-png.png" alt="3.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Create the User account by selecting the Green plu in the bottom right.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/Y1KTDJ9EAIH9/kb2-png.png" alt="kb2.PNG" width="41" height="40" class="embedImage-img importedEmbed-img"></img></li> <li>Name the user account with the common name. Example: Admin, Administrator, admintech etc...</li> <li>Enable <strong>User supports Just In Time 2FA</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/1QYWN3K7QCSW/5-png.png" alt="5.PNG" class="embedImage-img importedEmbed-img"></img><br><strong>Note</strong>: Ensure that the user is manually set to <strong>Active</strong> Status.</li> <li>Select the <strong>Reservation Time</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/MJ55V0YPD7SI/6-png.png" alt="6.PNG" class="embedImage-img importedEmbed-img"></img><br><strong>Note</strong>: This should be set to no less then 1 minute of an interval. 5 minutes is recommended to allow for enough time a user to be able to log in.<br><strong>Note</strong>: Each users will need to reserve the JIT username before then can use it. The reservation is only valid for one authentication. </li> <li>Select the <strong>Group Membership</strong> that will be allowed to access this user name.<br><strong>Note</strong>: User the Group JIT_Username that was created above.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/ZDELKEABRT3Z/mceclip0.png" alt="mceclip0.png" width="534" height="143" class="embedImage-img importedEmbed-img"></img><br></li> </ol><p><strong>Usage</strong></p> <ol><li>User will log into their Passly tenant.</li> <li>User selects <strong>Just In Time 2FA</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/MDYCT70G12PA/4-png.png" alt="4.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>User selects Reserve User on the JIT user account they wish to access.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/JBNXVB7D1KTM/1-png.png" alt="1.PNG" class="embedImage-img importedEmbed-img"></img></li> </ol><p>The user should now be able to log into a resource such as a Windows Credential provider using the common username like Administrator and their own OTP (One Time Password).</p> <p> </p> </article> </main>