4Passwords Authenticator

Step by step Setup Secret server requirements

A short visual guide to setup your secret server to support the authenticator app

1) Enable the Webservices API

Your System administrator should prepare Thycotic Secret Server in advance before usage. please make sure the following steps are taken.

  • Make sure the webservices are enabled (webservices API)
    • From the Thycotic Interface go:
    • Admin > General > Enable Webservices: Yes(picture 1)
    • Default session timeout is 20 Minutes, this means that your online session will always be maximum 20 minutes.
    • Ip restriction can be applied on a Thycotic Secret Server users account, limiting the physical place or network users can connect to Secret server from the app. The IP restriction do not apply when users are working in the Offline mode.

2) Prepare The Authenticator Template

  • Install or Create an 4PA compatible Authenticator Template
    • The fastest way to get started is to import our template.
      • From Secret Server as Admin go: Admin > Secret Templates
      • Paste the downloaded template in the "Import Secret Templates" section
    • To manually create an Authenticator template:
      • Give the Template a name starting with “Authenticator”
      • Minimum we need is one field that contains the Authenticator code, with the name “restorecode” as password field.

Picture two

3) Configure the Autodiscover Secret

  • Create an Company wide auto discover preferences Secret. This will enable all users within a domain to use a specific Authenticator template from Secret Server.
    • Create a secret from any web enabled Template from Secret Server(see picture 2).
      • Give the Secret the name:4pa_autodiscover_domain_preferences
        • where the domain word needs to be changed to is the actual domain name that a user will use in the domain field from login. If there are multiple variants to fill in the domain name then create several records with these names.
        • This can also be the Thycotic alternate name or the word "local" for local account preferences. optionally it can also be left blank and made a global preference with "4pa_autodiscover_preferences".






      • Add in the notes field a json object with the correct Authenticator Template ID for your domain.
        • example: copy and paste the line below, and change the #### in the numeric Authenticator template Id{"templateId":"####"}
          • Note: the template ID will be different on each secret server.
          • To quickly retrieve your authenticator template id:
            • Switch to the old UI and view the ID in the URL header when you create a secret from Secret Server with the Authenticator template(picture 3).
            • Edit the authenticator template in the admin section and retrieve the id in the new UI
            • Use the browser inspect tool and open the network tab, then click on a new secret and select the authenticator template. this will request a json object with a template pocket which has the value. this is your id.
      • The other fields like a password, the URL or the username are ignored, but can be required fields in secret server.
        • Add as user-id: 4pa_preferences
        • Add as URL: the URL of your secret server
        • generate a random password.
      • Save the secret and share it with the correct scope and permissions so all targeted users can find this secret.

    Picture three(old UI)

    4) Use the 4PA APP

    When the app is loaded for the first time, it will not detect any previous settings or the offline cached mode.

    The setup wizard will guide you through the 4 main steps in configuring the app.

    1. Secret Server URL & Authentication Domain(see image 4)
      • Provide your full Secret Server URL.
        • make sure you use HTTPS:// and the optional subfolder
      • Provide your Domain Name.
        • this field, should contain either your domain name as you see in the dropdown box of your secret server,or the word local for local account login, or empty to use the default domain listed in SecretServer.
      • Press the Next step button to continue.
    2. User Credentials
      • Provide your username
      • Provide your password
      • Provide your Authenticator code
        • if left blank and an authenticator is required, this will count as a failed login.
        • make sure to wait on the OTP refresh so the code is correct. you can lock your Thycotic Secret Serveraccount if trying too many times, with a wrong OTP code or password.
        • when login fails too many times, there can be a clock sync problem on your workstation and on theserver. these both need to be in sync.
      • Press the login button
        • If successful, the wizard will continue to the next step.
    3. 4PA Settings

    This step will search automatically for an existing user preferences secret and or any global Autodiscoverpreferences.

    The screen may show additional screen before the final state it found. please wait until its finished.

    Below you see the three possible screens the setup wizard can show.

    No preferences found, manual configuration required.

    If the app fails to find any preferences secrets then the app will ask you to supply a template ID.

      • If requested supply the Authenticator template ID.
      • Most likely your Thycotic Secret Server Admin did not prepare secret server with Autodiscover preferencesecrets, or you do not have permission on any of the preference secrets.
      • You can find the Authenticator Template ID manually by creating a new secret with the Authenticatortemplate. The numeric ID is in the URL of the template.

    Autodiscover references found and loaded, almost done.

    In this situation the Autodiscover secrets were found and loaded. you can continue with the next step to setupyour offline passphrase

      • Press the Next step button to continue.

    User preferences found and loaded, no configuration remaining

    In this situation the user preferences secrets were found and loaded. This has loaded your previous setfavorites, offline password and other application settings that may apply. you can continue to start using theapp

      • Press the "To authenticators" button to close the wizard.

    Offline Mode

    The offline mode step asks you for a passphrase. with this passphrase the app will encrypt all local storage as cache with 256 bit AES encryption. This will enable the offline mode and the option to store your settings, favorite and offline passphrase in secret server in a user preferences file.

    In the offline mode the 4PA Authenticator app can be used without an active internet connection. This is optional and requires that you to create an offline passphrase. This passphrase is used to encrypt your data locally.

    If disabled or not configured, your session is limited to 20 minutes and you will be logged out after expiration.

    Please note, whilst in offline mode it is not possible to retrieve new data without going online first.

      • Provide an offline passphrase and press the "Enable offline mode". this completes the setup wizard.
      • Optionally continue as an online-only session.

    Picture four

    Secret Server Hosting

    Security Solutions as a service.
    Maximize your password security,
    Minimize your security risks.