04-30-2026 11:19 AM
We are using LDAP for the username/password authentication and I am now trying to set up our GP Portal to use username/password AND a user certificate for MFA. I've seen some documentation that states that the GP Agent will look at the local user and computer store, but is there a way to have it look at an external device?
Also, what information needs to be on the certificate? Specifically what is GP looking for? The username as the subject? Should it be the DOMAIN\username? Or just the username?
05-01-2026 08:25 AM
JWil2 - Where is the private key stored? On the usb as well? Services that need to leverage cert based auth need the public key and private key which windows holds in different places on the OS. The internal components in the OS respond to challenges when responding to auth requests. You could use a solution like Yubikey which is USB based but has a TPM which holds the private key material and also has an open interface that holds the public key... all in one chip. This is usually secured with a PIN so when you open a GP session, Windows will prompt you for PIN which is used to access the Yubikey material through the windows driver and then presents the cert to GP and responds to the cert process. I use this and it works well. Does that answer your question?
-Nathan
-Nathan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
