Machine Authentication for Ivanti Policy Secure Overview

Machine authentication uses machine credentials (machine name and password or machine certificate) to authenticate the endpoint. You can enable machine authentication for Ivanti Policy Secure as part of a Ivanti Secure Access Client Connection and distribute the connection to endpoints through the normal Ivanti Secure Access Client distribution methods. You enable machine authentication support on a Ivanti Secure Access Client connection, either Layer 2 or Layer 3.

The following describes the requirements for a machine authentication environment:

The authentication server used by the Ivanti Secure Access Client connection must be Active Directory/Windows NT for machine name/password authentication or a certificate server for machine certificate authentication.

The endpoint must be a member of a Windows domain, and the machine credentials must be defined in Active Directory.

The Ivanti Secure Access Client connection must be configured so that no prompts are presented during the login process. For example, prompts for realm or role selection or for a server certificate trust prompt cause the connection to fail. You can specify a preferred role and realm for the connection, which eliminates realm and role selection dialogs.

If the Ivanti Secure Access Client connection is configured to use a list of Ivanti servers, the preferred roles and realms you specify must be applicable to all of those servers.

For machine certificate authentication, the domain workstation login certificate must be issued by the domain certificate authority. The root certificate must be in the Machine Trusted Certificate store instead of the certificate store for a particular user.

Ivanti Secure Access Client supports the following machine authentication types:

machine-only: The connection is established using machine credentials when no user is logged in. The connection is maintained after user login.

user-after-desktop: The connection is established using machine credentials when no user is logged in. After user login, the machine connection is disconnected. Once the user logs out, the user connection is disconnected and the machine connection is reestablished.