Enable Certificate-based MFA for LDAP users

Send a One-Time Passcode (OTP) to users' emails to install CSE's certificate

Updated on Sep 12, 2025

Overview
Pre-requisites
Steps to enable cert-based MFA for AD users
- Step 1: Enable OTP-based Email verification
- Step 2: Distribute the CSE app to your users to complete device registration

Overview

Admins can use CSE’s built-in Multi-Factor Authentication (MFA) to secure Active Directory users in their org: the three factors used for authentication include (i) user (i.e., email), (ii) device serial number, and (iii) cryptographic factor (i.e, a certificate).

Certificate-based MFA is important for Active Directory users, since AD credentials are a common target for phishing and other cyber attacks. Adding cert-based MFA ensures that, if a bad actor were to obtain a user’s credentials, CSE-protected resources would still be inaccessible; All 3 factors must be validated in order to authenticate users to access resources.

The authentication sequence is as follows: a One-Time Passcode (OTP) is sent to the user’s email; the OTP is required in order for CSE to install the certificate on the user’s device. Once installed, the certificate then silently authenticates access to protected resources in the background, without any further user action.

Each Cloud Secure Edge org has its own private Certificate Authority (CA); this private CA issues, validates, and manages certificates for each user in your environment. To learn more about how certificates are revoked or invalidated, see our doc on de-registering and banning devices.

Complete the following steps to enable MFA for Active Directory users using CSE.

Pre-requisites

Active Directory On-premise
a valid user email address
a device (for testing)

Steps to enable cert-based MFA for AD users

Step 1: Enable OTP-based Email verification

1.1 In the Cloud Secure Edge Command Center, navigate from Settings > SonicWall CSE Client > Deployment.

1.2 Under the OTP-based Email Verification setting, do not exempt any users: Select None. This ensures that all users in your org will be required to authenticate via their email.

Diagram

Step 2: Distribute the CSE app to your users to complete device registration

2.1 Use your device manager to distribute the app or manually deploy the CSE app.

2.2 In order to complete device registration, end users must authenticate via the One-Time Passcode sent to their email; once the user has authenticated (by successfully entering the emailed OTP into the CSE app authentication flow), the device certificate will be installed in the keychain of the user’s device, and MFA will be established.