Just-in-Time (JIT) Domain Log In in AutoElevate enables technicians to securely authenticate into Active Directory domains using temporary privilege elevation, eliminating the need for persistent admin credentials. This feature improves security posture by enforcing least-privilege access while maintaining operational efficiency for support teams.

What is JIT Domain Log In?

Feature Description

JIT Domain Log In allows technicians to request and receive temporary domain access using controlled authorization workflows. Instead of using static domain admin accounts, the system dynamically provisions and manages domain user privileges during the login session.

Key capabilities include:

• Temporary domain user creation tied to the technician
• Role- and group-based authorization controls
• Mobile device approval workflows
• Automatic privilege downgrade after login

Why It Matters

• Eliminates persistent domain admin credentials
• Reduces risk of credential theft or lateral movement
• Provides full audit visibility of privileged access
• Aligns with Zero Trust and least privilege security models

Platform-Specific Configuration & Usage

Admin Portal Configuration

Enable JIT Domain Log In

1. Navigate to Settings → Configuration
2. Enable the Domain Log In feature
3. Ensure appropriate permissions are assigned to administrators

Configure Authorizations

• Define which:
  • Domains are included
  • Users/roles can approve requests
  • Groups or OUs can be selected during login
• Multiple authorization rules can apply simultaneously (additive model)

Device Authorization Setup

1. Generate the Certificate Authority (CA) from the portal
   1. Enter a Name for the Certificate Authority
   2. Enter a very strong password
   3. Confirm the password 

1. Click Generate to download both:  ***DO NOT RENAME THESE FILES***
   • Public Key (installed on Domain Controller)
   • Private Key (stored securely for approvals)

1. Approve technician mobile devices using the secure seed + verification flow
   1. Copy the downloaded private .json file 
   2. Enter the password used in the above step
   3. Click the unlock certificate button

      

   4. Click approve next to the device you want to approve for JIT Domain login 
   5. Provide the seed word to the agent to use in registering the device

      

   6. From the mobile device, click the hamburger menu and select Enable JIT Log In

      

   7. Enter the seed word 
   8. Provide the verification code to the admin 

      

   9. Enter the verification code for the seed word and click Approve

      

   10. Click Save
   11. On the Mobile device, click Check for Approval
   12. Mobile device should indicate Device is Ready for JIT Domain Log In

       

Domain Controller (Server-Side Setup)

Install Certificate Authority

1. Ensure the AutoElevate agent is installed on at least one Domain Controller
2. Create directory: C:\Program Files (x86)\AutoElevate\certificates  
3. Place the Public Key file (.PEM) in this directory

Requirements

• At least one Primary Domain Controller must run the AutoElevate agent
• Domain availability appears only after agent reporting begins

Login Workflow

1. From the server login screen 
   1. Click the Just In Time Admin Login User
   2. Click the Begin Just-in-Time Login…

      

   3. You should be presented with a QR code

      

2. Using the AutoElevate Mobile app 
   1. Select the Scan barcode Icon
   2. Scan the JIT QR code
   3. Select Domain Group or OU
   4. Click Submit Just-in-time Log In Request 

4. Use Strong biometric authentication to complete the domain login

Mobile App (iOS / Android)

Device Approval

• Devices must be explicitly approved before use
• Approval requires:
  • Private key unlock
  • Seed exchange
  • Verification code validation

Security Requirements

• Strong biometric authentication required
• Minimum OS versions:
  • Android 12+
  • iOS 5.1+

Advanced Use Cases

Secure MSP Operations
Grant technicians domain access across multiple tenants without sharing credentials

Just-in-Time Privileged Access
Allow temporary access for specific tasks, such as AD changes or troubleshooting

Granular OU-Based Access Control
Restrict technicians to only specific organizational units

Compliance & Audit Readiness
Maintain detailed logs of who accessed domain resources and when

Best Practices

• Store Private Key files securely and restrict access
• Use role-based authorizations instead of individual user assignments
• Limit access scope to specific OUs whenever possible
• Enforce biometric authentication on all mobile devices
• Regularly review authorization configurations
• Ensure Domain Controllers have consistent agent deployment

Troubleshooting

Issue: Logon Failure – User Not Granted Logon Type

Error Example:

Logon failure: the user has not been granted the requested logon type

Resolution:

1. Open secpol.msc
2. Navigate to:

   Local Policies → User Rights Assignment
   

3. Update Allow log on locally to include required users [JIT Domain...e Bulletin | Confluence]

Issue: Domain Not Appearing in Authorization Settings

• Confirm the Domain Controller agent is installed and reporting
• Allow time for initial state sync

Issue: Mobile Device Cannot Approve Requests

• Ensure the device has been approved using the correct private key
• Verify biometric authentication is enabled
• Confirm correct user context (approval is user-specific per device)

Issue: Connectivity Failures

• Ensure outbound access to:
  • https://main.realtime.ably.net/event-stream 
• Check firewall or proxy restrictions

Security & Sync Behavior

• Temporary domain users are reused per technician, but do not retain admin privileges after login
• Privileges are automatically downgraded post-session
• Certificate Authority files are NOT stored by AutoElevate — customers are responsible for secure storage
• Mobile approvals are tied to both the device and the user
• Multiple public keys can exist on Domain Controllers for redundancy