Windows Logon Manager (WLM)
      Back to home
      1. Knowledge Base
      2. Windows Logon Manager (WLM)

      How do I configure Windows Logon Manager (WLM) to allow fail-over servers?

      WLM can be configured to use additional fail-over servers if the primary server is not available.

      WLM configuration foraccess any SurePassID MFA server requires the setting of three fields in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\SurePassId\CredProv):  

      1. AuthServerURL - Set to MFA server URL

      2. AuthServerToken - Set to Account Login Name. Starting with Release 23.1 this would be the Key Id field of the Application Key

      3. AuthServerKey - Set to Account Login Password. Starting with Release 23.1 this is the Key field of the Application Key

      In normal operations, if WLM makes a request to the AuthServerURL and receives an error, the system will not allow the user access (unless you set allow single factor access when system is unavailable - STRONGLY NOT RECOMMENDED). To mitigate this potential availability issue, WLM can be configured to use secondary fail-over MFA servers.

      To define the first fail-over MFA servers, can define the following additional SurePassID registry keys by duplicating the existing MFA server keys and appending number starting with one (1). The first fail-over server would be defined by these additional registry entries:

      1. AuthServerURL1 - Set this to the first fail-over MFA server URL

      2. AuthServerToken1 - Set this to the first fail-over MFA server Account Login Name. Starting with Release 23.1 this would be the Key Id field of the Application Key

      3. AuthServerKey1- Set this to the first fail-over MFA server Account Login Password. Starting with Release 23.1 this is the Key field of the Application Key

      You can define up to 9 additional fail-over MFA servers in the following form:

      AuthServerURL1

      AuthServerToken1

      AuthServerKey1

      ...

      ...

      ...

      AuthServerURL9

      AuthServerToken9

      AuthServerKey9

       

      We strongly recommend that you test your fail-over server configuration as part of your pre-production deployment. This can easily be accomplished by setting the primary AuthServerURL on a test user machine to something invalid and verify that a user can still login (the fail-over MFA server is now performing the user authentication). If this does not work, or you just want validation that fail-over processing is working you can turn tracing on that machine and verify the fail-over MFA server is handling the request properly.