We regularly write new guides and documentation to make multi-factor authentication with our products as easy as possible for you.  
However, if you get stuck without help, feel free to contact our support.

+1 (864) 704-4691

HID Global

  • To add a Digital Persona AD license, you need the Digital Persona Admin Tools installed on a machine that has the DP server or workstation application, die AD users and computers snap-in and the group policy management snap-in installed. 
  • The DP Admin Tools should be installed completely. This installs the MMC-extensions needed for group policy management, the ADUC console, the license management tool as well as a user query tool to create csv reports. 
  • The license management tool is integrated with the group policy management. To start it, create a new group policy object or use an existing object that manages your DP AD server configuration. 
  • Open the following path:
  • Computer configuration -> Policies -> Software Settings -> DigitalPersona Server -> Licenses 
  • Open the tool by right clicking on "Licenses" or in the right side of the window and selecting "Activate license". 
  • In the first step the tool checks the connection to the internet and communication with the activation server. 
  • In the next step you need to put in your license ID and password that you got via email from us or directly from Crossmatch. 
  • This is confirmed with "Continue" and your license activation should be finished after a couple of seconds. 
  • Should there be an error, please check your internet connection. 
  • In case the DP server has no internet access the registration can be done on a different machine by uploading an xml challenge file and bringing and xml response file to the server.
To enable Trace Logging for Digital Persona AD, the DP Workstation packs a small diagnostic Tool.
To enable tracing follow these steps:
  1. Navigate to c:\Program Files\Digital Persona\bin
  2. locate the DPDiagnosticTool.exe and start it
  3. Check "Append Traces" if you want to append the new traces to already existing trace files
  4. Check "Include Password Manager Traces" if your issue centers around password manager or license usage
  5. Click "Start Tracing" and reboot the machine
  6. Reproduce the issue and note the exact timestamps of any relevant step
  7. After reproducing the issue, start the Diagnostic Tool again and click "Gather Files"
  8. The Files should be written to C:\Users\Public\Public Documents\Digital Persona\Tracing (C:\Benutzer\Öffentlich\Öffentliche Dokumente\DigitalPersona\Tracing), there should also be a .zip file with the content of the folder included
  9. Send the .zip File with your detailed error description and timestamps to
On DP Server installations the Diagnostic Tool is not included by default. However, it is sufficient to copy the Diagnostic Tool .exe file onto a server and start it there directly. Points 3 to 9 are then unchanged.
In older Versions of Digital Persona AD the Checkbox for point 4 was called "Include OTS tracing" and the buttons were labeled "Start Logging" and "Stop Logging". Everything else works as documented here.
  • The seed file is required in PSKC format (.xml)
  • On the Altus server, navigate to C:\Programs\DigitalPersona\Bin and run the following command: DPOTPMgr.exe /i /f
  1. In a PowerShell session, perform the following steps to configure your Azure AD domain as a Federated domain: 
  2. Start a Windows PowerShell session. 
  3. Import the MSOnline mode by entering the following cmdlet. --> Import-Module MSOnline
  4. Connect to the online service by executing the following cmdlet. --> Connect-MSolService 
  5. Enter the Office 365 administrator username and password. 
  6. Verify that the domain name is listed by executing the following cmdlet. --> Get-MsolDomain -domain 
  7.  You should be able to see the name of the domain that you will be federating. 
  8. Get signing certificate from MetaData. Open the following URL in the Browser: 
  9. Set Domain to federated domain 
  • Set-MsolDomainAuthentication -DomainName -Authentication Federated -ActiveLogOnUri -IssuerUri -LogOffUri -MetadataExchangeUri -PassiveLogOnUri -PreferredAuthenticationProtocol WSFED -SigningCertificate MYBASE64Certificate
The password manager does not work in Chrome and FireFox.
If the Password Manager is not working in Chrome and FireFox, it may be related to your Sophos Endpoint antivirus (
Carry out the following steps from the Sophos Enterprise Console (SEC):
  1. Open the Sophos Enterprise Console
  2. Open the following policy for editing: Policies > Anti-virus and HIPS policy
  3. Click Authorize
  4. In the "Authorization Manager" click on "Websites"
  5. Click "Add" to add a new entry with one of the following values domain name IP address with subnet mask IP address
  6. Enter the following value as the IP address: Note: Wildcards are not supported.
  1. A commercially available adhesive film is suitable for cleaning. With the help of the adhesive strip, dirt can be easily removed. Caution: Please do not use any cleaning agents.
  2. In order for the device to read the print, you should place your finger firmly and completely on the face of the reader. Reposition your finger if the device doesn't respond.
  3. Note that this is an optical device and reading your fingerprint may be affected by overexposure. If necessary, shield your reader from strong light.

Micro Focus

For AAF version lower than 6.3. SP6 patch 1 (
Notice: The following changes must be made again after updating the appliance. The current AAF 6.3 SP6 has not yet integrated the error correction.
It is best to use "vi" to edit the files. On the following page ( you will find a few hints on the use of "vi".

  1. Access the AAF servers via SSH
  2. Open and edit the vi /opt/aauth/docker-compose.yml file
    • Look for the ES_JAVA_OPTS variable
    • Add the value  -Dlog4j2.formatMsgNoLookups=true to this variable
      • Here is an example of what it should look like:
        • "ES_JAVA_OPTS=-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true"
      • After making the changes, save the file
  3. Open and edit the vi /opt/risk/docker-compose.risk.yml file
    • In each pane look for the "environment" variable
    • Add the value -Dlog4j2.formatMsgNoLookups=true to this variable
      • Here are some examples from teh areas of what it should look like:
        • environment: - "JAVA_OPTS=-XX:MaxRAM=1g -Dlog4j2.formatMsgNoLookups=true"
        • environment: - "JAVA_OPTS=-XX:MaxRAM=1g -Dlog4j2.formatMsgNoLookups=true"
        • environment: - "JAVA_OPTS=-XX:MaxRAM=1g -Xmx1024m -Xms512m -Xss256k -XX:NewSize=700m -XX:MaxMetaspaceSize=128m -XX:MetaspaceSize=128m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Dlog4j2.formatMsgNoLookups=true" ...
        • environment: - "JAVA_OPTS=-XX:MaxRAM=1g -Dlog4j2.formatMsgNoLookups=true"
        • environment: - "JAVA_OPTS=-XX:MaxRAM=512m -Dlog4j2.formatMsgNoLookups=true" ...
        • environment: - "JAVA_OPTS=-XX:MaxRAM=2g -Dlog4j2.formatMsgNoLookups=true"…
  4. After making hte changes, save the file
  5. Now restart the AAF and Risk Service
    • systemctl restart aauth
    • systemctl restart risk-service
    • Please check whether the changes have been applied:
      • grep -i "ES_JAVA_OPTS" /opt/aauth/docker-compose.yml
      • grep -i "JAVA_OPTS" /opt/risk/docker-compose.risk.yml
  6. Now delete the JndiLookup.class from the AAF searchd container
    • Install package via Zypper (online)
      • docker exec -it aaf_searchd_1 bash
      • zypper -n in zip
    • Install package manually (offline)
    • zip -q -d lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    • chown elasticsearch:elasticsearch lib/log4j-core-*.jar
    • exit

Log4j vulnerability and Advanced Authentication (

1. Open Group Policy Management
2. Add the following RegistryKey HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\U2fSecurityKeyApiEnabled (REG_DWORD) and set the value 0x00000001
3. Assign the policy to the respective computers
4. After the restart "U2F" should be usable again. 
Microsoft Edge:
1. Open Group Policy Management
2. Add the following RegistryKey
 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\U2fSecurityKeyApiEnabled (REG_DWORD) and set the value 0x00000001
3. Assign the policy to the respective computers
4. After the restart "U2F" should be usable again.

Please find attached an official link with further information:

If the AAF has been connected to Office 365, ScanToMail on the printer may no longer work because the printers cannot authenticate themselves via MFA.

An app password must be created for the "scan user".


You will find a wide repertoire of product data sheets, user manuals and other documentation (in English) on the manufacturer's website.

Yubico Documents

Since version 3.2. supports Joomla! Two-factor authentication with the YubiKey by default. For older versions you also need the Joomla! YubiKey plugin. (Please note that this plugin was not written or maintained by either MTRIX or Yubico.)

Follow this guide to secure your Joomla! account with the YubiKey:
  1. Under Extensions - Plugins look for Two-Factor Authentication. Activate the YubiKey plugin.
  2. You can decide whether you want to enable two-factor authentication for your website, the admin area or both.
  3. Then go to the user for whom you want to set up two-factor authentication via Users. A new tab is available for these by activating the YubiKey plugin, which you can switch to.
  4. Click on the security code field provided. Then trigger your YubiKey by tapping its golden sensor. A code will now appear in the security code field.
  5. Save the settings. The two-factor authentication through the YubiKey is now activated.

You will also be shown ten one-time passwords. You can use this as an alternative to your YubiKey if you cannot access two-factor authentication. 
Save the one-time passwords in a safe place. 
On the Joomla! User Group Fulda you will also find a video tutorial.