Skip to main content

Hi all,

 

just looking for some advice. 

 

I have a CommCell that had SSO enabled for years and I can see all the local Support Team accounts under users in the CommCell.

 

I have disabled SSO on the AD domain’s configured and now I am planning on setting up MFA. 

 

My thinking is to do the following 

  1. Create an MFA group
  2. Enabled MFA for above group.
  3. Create new CV only local accounts for CV Admin staff and add these to the MFA group.

Q, is this what others out there are doing ? also for old SSO accounts, can these be added to the MFA group so they can't logon and more with MFA.

 

Thanks 

additionally, while testing MFA I see that a user gets prompted for PIN when using the CommCell Console but for the Command Center its still using SSO even though the SSO tick box is unticked on the domain. 


Hi @atitagain ,
 

You may proceed to follow the above POA to create specific group and enable MFA only for the required group.
However, these configuration are customer environment specific and it depends on how the security features are designed at site to accessing the application while using domain login.

Check if below additional settings are added on web console client properties if its added kindly disable and restart tomcat service once and check login status.


 

Name

bEnableCvAccountsSSO

Category

WebConsole

Type

BOOLEAN

Value

true


 


you may also refer below document and update additional settings as shown in document and change value to 0 to disable SSO


https://documentation.commvault.com/additionalsetting/details?name=SecurityProtocol&_gl=1*12i5cr8*_gcl_au*MTMzMTIzMTc4Ny4xNzIyMjM1OTA4


Reply