Advanced Authentication Options


NetDocuments provides a variety of advanced authentication options such as Digital Certificates and IP address to control and restrict access to the repository.

To access the Advanced Authentication page:

  1. In the upper-right corner, select your name > Admin > repository name.
  2. In the Navigation Pane, select Security Center > Advanced Authentication.


The page appears with three tabs:


Federated Identity allows users to sign in to NetDocuments via an identity provider, such as Windows Azure Active Directory or Active Directory Federation Service.


Authentication (Advanced) requires users to sign in via Automated login, Digital certificate-based login, or by IP address. Learn more about automated login options.

To configure your Advanced authentication, select Add Requirement.


In the example above, we selected Add Requirement 3 times to show how you can add more than one requirement. Multiple requirements use a successive logic. When a user first attempts to access the repository, NetDocuments will use the first requirement. If that requirement is not met, then NetDocuments will move on to the next one. 

In the Requirement type check box, define authentication based on IP Address or Authentication Method.

  • For IP Address type, enter a range of IP addresses that applies to your organization (make sure there is a space after the comma)
  • For Authentication Method type, from the drop-down box, select Automated Login or Digital Certificate.
    • You can restrict the Digital Certificate option to only allow usage of certificates from issuers by selecting Change Issuer.

Important: Certificate-based authentication and Automated Login are features of the ActiveX control and are only supported by IE. With the end of IE support, we strongly recommend using Federated Identity for advanced authentication methods.

When you apply restrictions like IP Address(es) or Authentication Method, external users will not be able to access your repository. If you need external users to have access to your repository, then select the Exclude external users from requirements check box to make an exception to these restrictions for external users:


To delete a requirement, select the Delete Requirement button. Be careful that you don't set criteria that will lock you and your users out. If you do this accidentally, submit a support ticket at

Note: Because the API authentication tokens are placed in the registry and are valid for 40-90 days depending on the scope of the token, IP address restrictions may not apply after the tokens are created. Users will be able to sign in outside the IP restrictions only if the authentication tokens are still valid. This applies to ndOffice, ndSync, mobile apps, and any application that uses the API's OAuth authentication protocol. 

Limit Password Reset

When setting an IP address restriction, administrators also have the option to restrict password reset requests to an IP address range.


When outside the specified IP range or without using an authentication method, users will not be able to request a password reset link from the sign-in page. This minimizes password reset requests from external sources. 

Secured Link allows generating secured links only within the defined IP range.

Enter a range of IP addresses that applies to your organization and select Save.


Now, when internal users deliver a secured link in this repository, they can restrict access to authorized networks and make the generated secured link accessible only within the defined IP range