Various forms of authentication are supported by i-net HelpDesk. The configuration allows to enable multiple authentication providers for users to log in with. The same user can have multiple login mechanisms activated for their account.

The configuration order of the providers also defines in which order they are presented to the user. If the guest account is enabled there will be a second login button in the toolbar. Providers working with Basic Authentication are handled using the username and password field of the login form. They may or may not offer a separate button in the login form.

The following providers are currently available:

• Product Authentication
• OAuth2 / OpenID Connect Authentication
• System Authentication
• Token Authentication
• Guest Account
• Single Sign On
• Master Password

Hint: There may be more authentication providers available through the plugin manager that are not yet enabled. Custom authentication providers can be implemented by extending our API.

The access to the i-net HelpDesk requires a login. The login is done via the Login type set in the configuration. The i-net HelpDesk automatically tries to detect the correct authentication service.

In a Windows network, the login is performed against the AD (Active Directory) or the local computer. In a Linux/macOS environment by means of PAM (Pluggable Authentication Modules). If a single sign-on is not possible, a login box for user name and password opens.

In addition, i-net HelpDesk Login can be added as a login type. In certain cases a login outside the company network is desired, e.g. in the support of external customers, whose login accounts should not be stored in any internal database. This is an additional way of logging in.

For each of these users, a password must be set in the Users and Groups application, which is stored in encrypted form.

Note: If you enable the i-net HelpDesk Login login type, then the User can create own account checkbox will be active by default. Uncheck the box if you do not want users to be able to create their own account in i-net HelpDesk.

The order of authentication mechanisms determines the display on the home page and is taken into account when logging in.

Important: The first newly created user after setup gets all permissions in the program. Each additional user has only the permissions of an end-user.

When the i-net HelpDesk is accessed via the network, the computer name of the client is passed to the server and displayed in the Computername field in the user's master data. In each case, the computer name of the last access to i-net HelpDesk is saved. You can disable overwriting of the Computername field here.

Allows any new user who has successfully authenticated to access the application with permissions granted by the All users group.

If this option is deactivated, new users receive a new login prompt even after a successful login.

Note: If a user tries to authenticate with valid Windows login credentials but creation of new users is disabled, then no new account will be created and access will not be granted.

By default, a user's session remains active for 28 days, ensuring they stay logged in. If you disable this feature, the session will time out after 30 minutes. However, to prevent disruptions, the session refreshes every 2 minutes. This ensures that active users, even those with the browser tab or application running in the background, are seldom logged out. Typically, a session will expire only if the browser is closed or the computer is locked.

Note: Session timeouts are unique to each computer, browser, or private browsing tab.

The Reset Members action deletes all current memberships of all authentication groups. Any logged in user who is a member of any of these authentication groups is automatically logged out and must log in again. Only then are memberships of the authentication groups re-evaluated.

This option can be used, e.g. in case you see users that have not logged in for a long time in the Users and Groups manager who should have different user groups assigned.

The two-factor authentication - or 2FA in short - is an additional security measure for user accounts. Using the option "Force two-factor login for all users" it is ensured that every user who did not yet sign up for 2FA will be forced to do so the next time they access the i-net HelpDesk server.

As per the two-factor authentication documentation, there are multiple factors available to choose from for configuration. If your users should use email codes, make sure, that the server is set up with a valid outgoing email configuration and that every user has an email address readily available in the Users and Groups application.

Note: Before activating this option, make sure that the prerequisites are met by the i-net HelpDesk server and the users. You should also inform your users about the measure beforehand.

This advanced option allows to whitelist IP addresses that will not require the second factor. You can add multiple IPv4 and IPv6 addresses, separated by comma or semicolon. It can be used to distinguish requests to the server from a public IP address or from an internal network or a DMZ.

The IP address has to be one of the binding IP addresses on which the server is running with its published ports.

Note: Since force 2FA is enabled, users will have to add a second factor the first time they access the service from a non-disabled IP address.

Note: Disabling the 2FA requirement for an IP implies that no accounts, even administrative ones, do not require the second factor when logging in. This option should be handled with extreme caution.