DirSync and Multi-Factor Authentication Server

Similar Messages

• Multi-Factor Authentication Server and OWA

  Hello,
  I am trying to implement a two factor authentication solutions for our OWA service using Multi-Factor Authentication server.
  What is the best way to accomplish that, Assuming I would like that the only service will be affected by the MultiFactor authentication server is the OWA?
  (without affecting the whole IIS service such as ActiveSync etc.?)

  At present, the MFA Server user enrollment is completely separate from Azure AD. If you want to use the mobile app with the MFA Server, you need to install the User Portal so that users can generate activation codes and set their MFA method to mobile app.
  Also, for users to activate their mobile apps, you have to install the Mobile App Web Service, which communicates with the MFA Server via the Web Service SDK to validate the activation code generated in the User Portal. Here are links for installing the User
  Portal and Mobile App Web Service.
  https://msdn.microsoft.com/en-us/library/azure/dn394290.aspx
  https://msdn.microsoft.com/en-us/library/azure/dn394277.aspx?f=255&MSPPError=-2147217396

• Can you use Multi Factor Authentication server with Central NPS and RD Gateway?

  Hi,
  Does anyone have any experience getting the Azure Multi-Factor Authentication (MFA) on-premise server, working with a Remote Desktop Gateway server, and a centralised NPS server?  I can get a solution whereby a user can get the second token (phone call/sms
  etc.) but the connection never gets established.  It looks like its looping as it repeats the phone call/text for a second time but again no connection.  I can’t figure out why.
  All the blogs are very vague as to whether you can combine a new MFA NPS connection policy with an existing username/group membership NPS policy on a centralised NPS server (with RAP/CAP policies).
  I need to understand whether we can combine both an MFA Radius policy with a Username/Password plus group membership NPS policy together to achieve two factor authentication.
  Do you have the Remote Desktop Gateway Server connect to the Central NPS server and then the NPS server use the MFA server as its proxy server? In effect turning the NPS server into a proxy Radius server?  
  Or do you configure the Remote Desktop Gateway server to use the MFA server as the proxy Radius server, and configure the MFA server to send on Radius requests to the central NPS server?
  Or either of these scenarios not supported and you can only use the MFA server as the only Radius server in the auth. process? (bypassing NPS policies?)
  Thanks if someone can assist,
  I’ve been using these blogs but to no successful effect:
  http://technet.microsoft.com/en-us/library/dn394287.aspx
  http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
  http://dave.harris.uno/installing-and-configuring-azure-multi-factor-authentication-mfa/

  Hi Michael,
  Thank you for posting in Windows Server Forum.
  After going through your description, I can say that we can use MFA server with central NPS and RD Gateway. Also the link which you have provided points the step to apply. In addition you can refer below article.
  Configure Remote Desktop Gateway to use Multi-Factor AuthenticationConfigure Remote Desktop Gateway to use Multi-Factor Authentication 
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• DirectAccess with Windows Azure Multi-Factor Authentication Server

  Hi,
  We're having some troubles implementing OTP-functionality for our DirectAccess-solution. We have DA-server with dual nics (one internal and one external) behind a firewall. We are successfully running it with Windows 7 computers using certificates issued
  by our own CA. Everything works fine (e.g. 6to4, Teredo and IP-HTTPS) and computers connect instantaneously.
  Then we decided to try to implement OTP-functionality using Azure MFA. We have downloaded the on-premises installation and configured a server with a couple of trial users synced from our Active Directory. It works flawlessly when using the portal and the
  built-in tests on the MFA. We receive the text messages promptly and are granted access.
  However when we tried to connect it to our DA-server things got weird.
  First of all our DA-server refuses to recognize our Issuing CA even though it is domain joined and published in our Active Directory. It worked the first time we went through the wizard, but even since it just keeps saying that "no CA servers can be
  detected". We ended up doing it the
  powershell way and the Operations status shows no error. When we added the Issuing CA and the Radius Server (our MFA-server) as Infrastructure Servers we got an error message saying that "One or more IP addresses of management server cannot be
  added because they are associated with the web probe URL" (which they don't).
  We went ahead and started testing the OTP-functionality - assuming this was some strange bug as well. Following the
  closest thing to a requirement specification
  we could find from MS regarding the certificates required. Both with a Windows 8.1 Ent-client and a couple of Windows 7 Ent-clients but neither are getting any password prompts. We can see with wireshark and in the logs that the DAProbeUser can communicate
  between the DA and the MFA. If we try to access the DaOTP-IIS-site we get a certificate error. The IIS-certificate is issued from the same trusted Root CA as the client certificate and all certificates are valid. The CRL:s are accessible both externally and
  internally.
  We are looking through the local computers OtpCredentialProvider logs but for the Windows 8.1-ones they are only saying Error 10001 (unable to send authentication information to daservername.domain.com error 12175). And for the Windows 7 clients we are getting
  Error 10003 (Either private key cannot be generated or user cannot access certificate template on the DC. Which we verified that we can using the infrastructure tunnel only). No other IPv4 traffic seems to be communicated between the two servers according
  to Wireshark.
  We have also tried using our SafeNet on-prem RADIUS-solution but no traffic seem to get sent to that server neither.
  So TL;DR:
  - Can anyone provide the precise certificate requirements for setting up DA OTP?
  - Are there any good tools for troubleshooting DA OTP-functionality? 

  Hello Benoit,
  Thank you for your reply. If we understood your blog post correctly then we are supposed to be able to access
  https://daserver.domain.com/DAOTPvirtualdirectory/DAOTPAuth.dll and not get a 403.7
  error-page, even if the back-end Radius isn’t fully functional yet?
  The DA server has the OTP signing certificate (confirmed this on the issuing CA and the server’s computer certificate store), it renews this certificate once per day (as per the
  guide for the templates on: http://technet.microsoft.com/en-us/library/hh831715.aspx)
  We’re not seeing any errors on the AD CS server, no requests, no rejections (for the client certificates), but this could be due to the settings followed for the client template
  on the TechNet guide (Do not store certificates and requests in the CA database)?
  What do you mean with "IF OTP
  signing certificate is not present on client-side, OTP authentication cannot work"? The signing certificate should be on the server side, or are we mistaken?
  Also, according to
  http://msdn.microsoft.com/en-us/library/hh536654.aspx
  it is stated:
  “2.The administrator establishes one or more implementation-specific<1>CA servers”
  But other guides specifically mention that you can use your current CA environment and that you’re not required to install a dedicated CA for this particular task. 

• Multi-factor Authentication?

  Multi-factor authentication will soon be mandatory for
  several of my applications. I need to know if CF has any built-in
  functionality, either stock or via custom tags, to handle any of
  the common multi-factor tools. How are other people handling this?
  :-)

  Huh, i'm sorry, I found the answer just after the questioning... :)
  Known Issues:
  * Windows Authentication for Terminal Services is still not supported for
  Windows Server 2012 R2From:https://pfweb.phonefactor.net/install/6.3.0.17465/release_notes.txt
  www.sccmfaq.ch

• Bypassing OAAM multi-factor authentication

  Hello
  In our project we found an interesting case where it is possible to bypass multi-factor authentication provided by OAM and OAAM. It can also work for a custom multi-factor login application which is integrated with OAM using the Access SDK.
  If you integrate OAM and OAAM as officially described in
  http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12052/igoam.htm#BABBJACH
  you basically have one form authentication scheme which redirects a user to OAAM when trying to access a protected resource. The user enters username/password in OAAM which is send to OAM using the AccessSDK and validated by the authentiction scheme in OAM.
  From the point of view of OAM the authentication is completed and OAAM receives the ObSSOCookie. OAAM does not return the cookie to the user but continues with additional authencation steps such as secret questions, fingerprints, etc. If all goes well OAAM returns the ObSSOCooki to the user and he is able to access the protected resource.
  The bypass:
  OAM has a nice feature (I call it security bug) which allows a user to add authentication credentials as parameters to the URL when accessing a resource. E.g. a user accessing a protected resource such as app.domain.com can simply enter https://app.domain.com?username=xxx&password=xxx and is automatically authenticated provided the username/password parameters and values are correct. By automatically authenticated I mean that there is no redirection to the login form. The authentication credentials are passed by OAM internally to the authentication scheme. There is no post action being sent and intercepted.
  Why is this bad? If you are using OAAM as a multi-factor login application passing username/password as URL parameters will not involve OAAM at all. From the point of view of OAM a user is authenticated and there is no need to challenge him with OAAM. No matter what additional authentication factors are configured for OAAM, the authentication process is reduced to one factor (username/passwrod).
  Any thoughts on this. I am mostly interested in ideas and approaches to fix this issue.
  Regards, Donat

  Hello Steve
  Bypassing OAAM works with the latest 10g release of OAAM and OAM and the architecture described in the Oracle documentation
  http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12052/igoam.htm#BABBJACH
  Any toughts on this issue?
  Regards,
  Donat

• With Multi-Factor Authentication ENABLED how can a admin connect remotely to manage Office 365 with PowerShell

  With Multi-Factor Authentication ENABLED how can office 365 admin connect remotely to manage Office 365 with Power-Shell ?
  When I key-in my credentials, auth fails with invalid username and password ?
  Does any know the procedure ?

  This question was closed over a year ago.   You will  need to start a new question.  You can post a link back here if you think it helps.
  I also recommend asking in the O365 developers forum for how to do bulk license upgrades.  You can use the answer here and just remove and then add the new license. 
  ¯\_(ツ)_/¯

• How can I implement  Multi Factor authentication with IAM products?

  Hi I would like to implement multi factor authentication that can be made generic with all IAM produts. Can anyone suggest an MFA factor like that? It shudnt be an add on or plug in. Instead it should be an in built feature. Can anyone suggest any idea?

  Opensso has such feature built-in. You can create an authentication chain in which you can add as many authentication mechanisms as you need.
  Although it is a built-in feature, there's no full support for all sorts of authentication methods. Some of them exist as plugins, like authentication modules for smart cards and biometrics because they are not sold by Sun Microsystems. However, there's a solution for you requrement even tough you might add some auth modules as plugins like biobex, activcard or auth modules from other vendors.
  Regards.

• Multi-Factor Authentication desktop app?

  Is there a desktop app (Win 7/8) for authenticating against Azure Multi-Factor?  I've currently got a MFA provider spun up in Azure and the server installed on prem.  We are currently testing with it for two factor authentication to an RDS deployment
  and it seems to work well.  So far I've used both the phone call and text authentication methods and I'm working on getting the mobile app piece to work. 
  We do have some instances though where users my not have dedicated cell phones.  Is there an app that can be installed on the desktop and works with the Azure MFA that will allow them to two factor auth?  Perhaps allowing them to use a known pin
  to generate a one time passcode?
  Thanks

  No, there isn't one. There *might* be one coming with windows 10 and universal apps, but then again, being able to just use an app on the PC you are accessing the resource from kinda negates the whole value of the additional auth Factor.
  MFA is not limited to mobile phones only, use a regular one if needed. Or even an OATH token. Lastly, you can always fallback to the security questions, since you have the MFA server.

• Scan to Email not working - Invalid Credentials error (using gmail and 2-factor authentication)

  I configured the HP OfficeJet 8600 printer for scan to email using the Embedded Web Server interface. In the Web interface, I added/entered an email address for my gmail account, and set the correct SMTP server details, and entered 465 for the port number. I checked the "Always use secure connection" box, as well as the "SMTP requires authentication for outgoing email messages" box. I entered correct SMTP user ID and password. Yet when I did a test, I got an error "Invalid credentials" After a lot of frustration, and trying all sorts of things, I eventually got the idea to try another email account. This time I tried a different email account, a netzero email account, configured the smtp server details for it etc. And this time when I tested the netzero email address it worked. I tried the scan to email on the printer, and it worked for the Netzero email account. it just didnt work for the gmail account. I had a while back turned on 2-factor authentication. I went to gmail settings and requested an "App password" for my HP printer. Google/gmail displayed a 16 character password, which I then entered into the password box in the HP OfficeJet printer Embedded Web Server interface (instead of my usual password), for the gmail account. And this time when I tested the email account - it worked! Problem solved! .. I share this just in case anyone else is having the same problem I had, and is going through the same frustrating experience I endured!  

  Thank you. This helped TREMENDOUSLY! 

• Two-factor / Multi-factor authentication for Sites login

  Hi All,
  Would like to know if any one have implemented the two-factor authentication for Sites login ( Admin / Contributor Interface ),
  It will be really helpful if you could share any ideas on this.
  Regards,
  Anoop.

  I haven't seen any before for Sites.
  But I guess if You use OAM for the access, you could create something like the described in:  Integrating the RSA SecurID Authentication Plug-In -
  I haven't tried myself, but maybe that integration with RSA SecurID plugin helps you.
  Regards,
  Guillermo.

• Multi-Factor Authentication with Azure, need to know limitations

  Hello,
  This forum was recommended as a place to ask MFA questions.
  The manager desires all the domain admins accounts to use MFA, when used for any purpose, but especially for when these accounts are used for managing the domain, either via workstation/server login or elevation.
  Is these possible? What are the limitations?
  Please let me know.
  Thank you,
  -Bob

  On Mon, 9 Feb 2015 19:04:41 +0000, Littlebob wrote:
  This forum was recommended as a place to ask MFA questions.
  If you're asking specifically about Azure as per your subject then no, this
  isn't actually the correct forum. Post here:
  http://azure.microsoft.com/en-us/support/forums/
  This is for on-prem Windows Server. You might want to let whomever directed
  you here know that there are specific support forums for Azure.
  Paul Adare - FIM CM MVP
  "I've tried to convince many vegetarian friends that chicken are just
  fast-moving vegetables." -- Simon Cozens

• MFA Server - User portal and mobile app web server should be installed where?

  Hi. We are in the process of testing the Multi-Factor Auth server and are currently using it for two-factor authentication to RDS for a couple of users. At the moment we are only using the phone call/text options but I'd like to get the mobile app portion
  working to test.  Also still need to implement the user self-service portal for testing.
  Currently I have a vm that was dedicated to MFA where the Multi-Factor Authentication Server software was installed.  Now though I'm a bit confused as to if its safe to install the user portal and mobile app web service portion on this same machine
  or if they should go on a different server(s)?  Currently the box is internal but I'm guessing if it has also act as the web server we would stick it behind the TMG for external inbound access.  Is external access to the primary MFA server ok? 
  What's the best practice for separation of the MFA roles; or is there none and its fine to just put it altogether? 
  Thanks.

  Hello Col. Forbin,
  Thanks for posting here!
  You have a dedicated MFA server and if you install User Portal on the same server as the MFA Server, it uses RPC to communicate with the MultiFactorAuth service locally.
  If the User Portal is installed on a different server, it must connect via the Web Service SDK. You can use either a username/password of a service account that is a member of the PhoneFactor
  Admins security group, or you can configure client certificates. If using the username/password, you can encrypt the appSettings section of the web.config file if desired.
  Under Inetpub\wwwroot\MultiFactorAuth when you edit the web.config file you need to make sure these values are set.
  USE_WEB_SERVICE_SDK:
  true
  WEB_SERVICE_SDK_AUTHENTICATION_USERNAME: domain\user
  WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD:
  password
  OVERRIDE_PHONE_APP_WEB_SERVICE_URL: 
  You might want to refer this thread link:
  https://social.msdn.microsoft.com/Forums/en-US/ad1f6fc1-ab3f-482d-a435-e4fd6665f640/mfa-user-portal-issue?forum=windowsazureactiveauthentication
  Additional reference links:
  https://technet.microsoft.com/en-us/library/dn376347.aspx#multifactor
  https://pfweb.phonefactor.net/install/6.2.1.16387/release_notes.txt
  Let me know if you have any further questions!
  Regards,
  Sadiqh Ahmed

• How to deploy connection (Mac OS X Yosemite to Windows RDS) through the RD Gateway with Two Factor authentication (Safenet OTP) on Session host?

  Good day!
  Could you please help me? How to deploy connection (Mac OS X Yosemite to Windows RDS) through the RD Gateway with Two Factor authentication on Session host? How to open an authentication dialog that is the same as in Windows when logging on to network resources
  in Windows (Windows Security)?
  Our test environment: We have one RDS 2012 R2 server (all roles in one) and one session host in collection. On the session host installed Safenet Network Logon and it under GPO which disable all authentication, only OTP.

  Hi Sir,
  It seems that you are going to integrate 3rd party product into AD for authentication .
  I would suggest you to contact the vendor of Safenet for this deployment  scenario  :
  http://www.safenet-inc.com/multi-factor-authentication/authentication-management/safenet-authentication-manager-express-samx/
  Best Regards,
  Elton Ji
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

• Vmware horizon radius integration with two factor authentication

  -1 down vote  favorite
  I have deployed vmware horizon view connection server (Evaluation/Trial version), i want to integrate it with two factor authentication server. But after configuring RADIUS parameters in admin portal of connection server, it’s not allowing me to save the settings. Please suggest.
  I have attached the snap for your reference.

  The SMTP server supports what is referred to as third party authentication. To take advantage of this you would need to provide all of the authentication code, however -- there's no way to do part of the authentication and then pass control back to the messaging server for the rest. So you'd need to do both password checks, one of which is presumably done via LDAP auth, yourself.
  As far as LDAP proxy and RADIUS, we use a standard LDAP simple bind. The ODSEE LDAP proxy is often used in OCMS deployments, so that is a known good solution. We don't directly support RADIUS; the aforementioned third party authentication could be used to tie into such a system.
  - Jeff