Hello!
The EnablePartial2FA key is placed on the target Windows server that requires 2FA, not VIP Enterprise Gateway. Here's an example with five Windows servers:
Server |
EnablePartial2FA present? |
EnablePartial2FA value |
VIP Enterprise Gateway |
No |
n/a |
App Server 1 |
Yes |
1 |
App Server 2 |
Yes |
2 |
App Server 3 |
No |
n/a |
Domain Controller |
No |
n/a |
In this example, "VIP Enterprise Gateway" and "Domain Controller" are infrastructure servers and do not have multifactor authentication configured on them. "App Server 1" does all IT to login. All users must provide passwords. All VIP users must also provide VIP. Some non-VIP users (if any) can login with username+password only.
"App Server 2" is similar: all users require a password. Only some VIP users are required to enter a VIP code (only the ones in one particular group, as configured on VIP Enterprise Gateway).
"App Server 3" is not configured for VIP, some only username + password is required.
Based upon the same set of users, "App Server 1" has the most authentication requirements (more secure), "App Server 2" is in the middle, and "App Server 3" has the least requirements, but these configurations are usually highly targetted to the IT users who need to access these systems. The above options allow the creation of complex logic to suit the needs of today's Enterprises.
I hope this helps to clarify!
Maren