Multi-Factor Authentication with Azure, need to know limitations
Hello,
This forum was recommended as a place to ask MFA questions.
The manager desires all the domain admins accounts to use MFA, when used for any purpose, but especially for when these accounts are used for managing the domain, either via workstation/server login or elevation.
Is these possible? What are the limitations?
Please let me know.
Thank you,
-Bob
On Mon, 9 Feb 2015 19:04:41 +0000, Littlebob wrote:
This forum was recommended as a place to ask MFA questions.
If you're asking specifically about Azure as per your subject then no, this
isn't actually the correct forum. Post here:
http://azure.microsoft.com/en-us/support/forums/
This is for on-prem Windows Server. You might want to let whomever directed
you here know that there are specific support forums for Azure.
Paul Adare - FIM CM MVP
"I've tried to convince many vegetarian friends that chicken are just
fast-moving vegetables." -- Simon Cozens
Similar Messages
-
How can I implement Multi Factor authentication with IAM products?
Hi I would like to implement multi factor authentication that can be made generic with all IAM produts. Can anyone suggest an MFA factor like that? It shudnt be an add on or plug in. Instead it should be an in built feature. Can anyone suggest any idea?
Opensso has such feature built-in. You can create an authentication chain in which you can add as many authentication mechanisms as you need.
Although it is a built-in feature, there's no full support for all sorts of authentication methods. Some of them exist as plugins, like authentication modules for smart cards and biometrics because they are not sold by Sun Microsystems. However, there's a solution for you requrement even tough you might add some auth modules as plugins like biobex, activcard or auth modules from other vendors.
Regards. -
Can you use Multi Factor Authentication server with Central NPS and RD Gateway?
Hi,
Does anyone have any experience getting the Azure Multi-Factor Authentication (MFA) on-premise server, working with a Remote Desktop Gateway server, and a centralised NPS server? I can get a solution whereby a user can get the second token (phone call/sms
etc.) but the connection never gets established. It looks like its looping as it repeats the phone call/text for a second time but again no connection. I can’t figure out why.
All the blogs are very vague as to whether you can combine a new MFA NPS connection policy with an existing username/group membership NPS policy on a centralised NPS server (with RAP/CAP policies).
I need to understand whether we can combine both an MFA Radius policy with a Username/Password plus group membership NPS policy together to achieve two factor authentication.
Do you have the Remote Desktop Gateway Server connect to the Central NPS server and then the NPS server use the MFA server as its proxy server? In effect turning the NPS server into a proxy Radius server?
Or do you configure the Remote Desktop Gateway server to use the MFA server as the proxy Radius server, and configure the MFA server to send on Radius requests to the central NPS server?
Or either of these scenarios not supported and you can only use the MFA server as the only Radius server in the auth. process? (bypassing NPS policies?)
Thanks if someone can assist,
I’ve been using these blogs but to no successful effect:
http://technet.microsoft.com/en-us/library/dn394287.aspx
http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
http://dave.harris.uno/installing-and-configuring-azure-multi-factor-authentication-mfa/Hi Michael,
Thank you for posting in Windows Server Forum.
After going through your description, I can say that we can use MFA server with central NPS and RD Gateway. Also the link which you have provided points the step to apply. In addition you can refer below article.
Configure Remote Desktop Gateway to use Multi-Factor AuthenticationConfigure Remote Desktop Gateway to use Multi-Factor Authentication
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
With Multi-Factor Authentication ENABLED how can office 365 admin connect remotely to manage Office 365 with Power-Shell ?
When I key-in my credentials, auth fails with invalid username and password ?
Does any know the procedure ?This question was closed over a year ago. You will need to start a new question. You can post a link back here if you think it helps.
I also recommend asking in the O365 developers forum for how to do bulk license upgrades. You can use the answer here and just remove and then add the new license.
¯\_(ツ)_/¯ -
Multi-Factor Authentication Server and OWA
Hello,
I am trying to implement a two factor authentication solutions for our OWA service using Multi-Factor Authentication server.
What is the best way to accomplish that, Assuming I would like that the only service will be affected by the MultiFactor authentication server is the OWA?
(without affecting the whole IIS service such as ActiveSync etc.?)At present, the MFA Server user enrollment is completely separate from Azure AD. If you want to use the mobile app with the MFA Server, you need to install the User Portal so that users can generate activation codes and set their MFA method to mobile app.
Also, for users to activate their mobile apps, you have to install the Mobile App Web Service, which communicates with the MFA Server via the Web Service SDK to validate the activation code generated in the User Portal. Here are links for installing the User
Portal and Mobile App Web Service.
https://msdn.microsoft.com/en-us/library/azure/dn394290.aspx
https://msdn.microsoft.com/en-us/library/azure/dn394277.aspx?f=255&MSPPError=-2147217396 -
Multi-factor authentication will soon be mandatory for
several of my applications. I need to know if CF has any built-in
functionality, either stock or via custom tags, to handle any of
the common multi-factor tools. How are other people handling this?
:-)Huh, i'm sorry, I found the answer just after the questioning... :)
Known Issues:
* Windows Authentication for Terminal Services is still not supported for
Windows Server 2012 R2From:https://pfweb.phonefactor.net/install/6.3.0.17465/release_notes.txt
www.sccmfaq.ch -
Bypassing OAAM multi-factor authentication
Hello
In our project we found an interesting case where it is possible to bypass multi-factor authentication provided by OAM and OAAM. It can also work for a custom multi-factor login application which is integrated with OAM using the Access SDK.
If you integrate OAM and OAAM as officially described in
http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12052/igoam.htm#BABBJACH
you basically have one form authentication scheme which redirects a user to OAAM when trying to access a protected resource. The user enters username/password in OAAM which is send to OAM using the AccessSDK and validated by the authentiction scheme in OAM.
From the point of view of OAM the authentication is completed and OAAM receives the ObSSOCookie. OAAM does not return the cookie to the user but continues with additional authencation steps such as secret questions, fingerprints, etc. If all goes well OAAM returns the ObSSOCooki to the user and he is able to access the protected resource.
The bypass:
OAM has a nice feature (I call it security bug) which allows a user to add authentication credentials as parameters to the URL when accessing a resource. E.g. a user accessing a protected resource such as app.domain.com can simply enter https://app.domain.com?username=xxx&password=xxx and is automatically authenticated provided the username/password parameters and values are correct. By automatically authenticated I mean that there is no redirection to the login form. The authentication credentials are passed by OAM internally to the authentication scheme. There is no post action being sent and intercepted.
Why is this bad? If you are using OAAM as a multi-factor login application passing username/password as URL parameters will not involve OAAM at all. From the point of view of OAM a user is authenticated and there is no need to challenge him with OAAM. No matter what additional authentication factors are configured for OAAM, the authentication process is reduced to one factor (username/passwrod).
Any thoughts on this. I am mostly interested in ideas and approaches to fix this issue.
Regards, DonatHello Steve
Bypassing OAAM works with the latest 10g release of OAAM and OAM and the architecture described in the Oracle documentation
http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12052/igoam.htm#BABBJACH
Any toughts on this issue?
Regards,
Donat -
DirSync and Multi-Factor Authentication Server
Can DirSync and Multi-Factor Authentication Server be installed on the same server?
If so would there be any security issues?Hi,
Thanks for posting here!
There are no known caveats with it but its not a combination we recommend for or against.
That said, our standard guidance is to put different roles on different machines if resources are available.
If you are running into any issues, please let us know.
Hope this helps!
Regards,
Sadiqh
If a post answers your question, please click Mark As Answer on that post and Vote as Helpful. -
Multi-Factor Authentication desktop app?
Is there a desktop app (Win 7/8) for authenticating against Azure Multi-Factor? I've currently got a MFA provider spun up in Azure and the server installed on prem. We are currently testing with it for two factor authentication to an RDS deployment
and it seems to work well. So far I've used both the phone call and text authentication methods and I'm working on getting the mobile app piece to work.
We do have some instances though where users my not have dedicated cell phones. Is there an app that can be installed on the desktop and works with the Azure MFA that will allow them to two factor auth? Perhaps allowing them to use a known pin
to generate a one time passcode?
ThanksNo, there isn't one. There *might* be one coming with windows 10 and universal apps, but then again, being able to just use an app on the PC you are accessing the resource from kinda negates the whole value of the additional auth Factor.
MFA is not limited to mobile phones only, use a regular one if needed. Or even an OATH token. Lastly, you can always fallback to the security questions, since you have the MFA server. -
OAM multi-level authentication with an OIF SP
As background, we have 16 Shibboleth IdPs in a federation and users need to access a couple of applications that are protected by OAM (10.1.4.3) using OIF (11g) as the SP. We have a requirement to force re-authentication for a set of URLs protected by OAM. So, if a user accesses application, let's call it LOW, and then attempts to access application called HIGH, we need to reauthenticate the user at the IdP. In OAM, this is the classic use case for multi-level authentication, I think.
Since OIF acts as a gateway, all of the applications "behind" OIF/OAM use the same authentication scheme in OAM, so I can't use OAM's multi-level authentication as we are configured now. I was told by an OIF person at OracleWorld that a possible approach would be to configure a custom authentication engine in OIF that is basically a copy of the OAM authentication engine and set that up at a different authentication level in OAM. However, looking through the documentation, it looks like the authentication engines are only used when OIF is used as an IdP. Perhaps the person meant that I need to set up a custom SP Integration Module? Or am I misunderstanding the role of the auth engine?
The OAM SP Integration Module lets me specify Authentication Schemes and Authentication Scheme Levels. We currently are set up to use OIF-unspecified with a level of 1. Since we want to re-authenticate, however, we really want to use the same authentication scheme but at a different authentication level. Is there a way to achieve that? Can I set up a second OAM SP Integration Module with a different policy domain and set the OIF-unspecified authentication scheme to level 2 on that one? How would I go about doing that -- as a custom SP engine?
Has anyone done anything similar or found a way to force reauthentication using the same authenticator for some applications behind an OIF SP but not others?
Thanks for any help you can provide.
--MikeHi,
Thanks for the reply.
“In fact there is not one use case. There are 5 use cases for which we need to provide Second Level of Authentication functionality. And that also with the flexibility of switching this on/off.
Now as per my understanding we should achieve this through the following flow :
Store one extra attribute in OID per user per service. And that attribute will store the enable/disable information for that particular service and for that particular user.
Now ObAuthentication Scheme class of Access Manager API needs to be used for enabling or disabling the Level 2 authentication scheme as per that attribute.
Is this flow possible.”
Cheers,
Sunny -
Two-factor / Multi-factor authentication for Sites login
Hi All,
Would like to know if any one have implemented the two-factor authentication for Sites login ( Admin / Contributor Interface ),
It will be really helpful if you could share any ideas on this.
Regards,
Anoop.I haven't seen any before for Sites.
But I guess if You use OAM for the access, you could create something like the described in: Integrating the RSA SecurID Authentication Plug-In -
I haven't tried myself, but maybe that integration with RSA SecurID plugin helps you.
Regards,
Guillermo. -
2 Factor Authentication with a CLI XMPP client
So, I've been in the process of attempting to completely migrating from GUI to CLI and have been looking for a way to access my Facebook messenger from a CLI XMPP client. However, I have 2 Factor authentication setup on my Facebook and cannot find any way of getting around that. The XMPP client I've been trying to use is mcabber. Could someone either show me how to use mcabber and 2 factor auth, or point me in the right direction to another client that supports it. Thanks guys!
If you want to use custom authentication plugin then OAM provides a way to create a custom authentication module and you can orchestrate your steps based on your conditions. See http://docs.oracle.com/cd/E21764_01/doc.1111/e12491/authnapi.htm for more details.
Hope this helps,
Sagar -
DirectAccess with Windows Azure Multi-Factor Authentication Server
Hi,
We're having some troubles implementing OTP-functionality for our DirectAccess-solution. We have DA-server with dual nics (one internal and one external) behind a firewall. We are successfully running it with Windows 7 computers using certificates issued
by our own CA. Everything works fine (e.g. 6to4, Teredo and IP-HTTPS) and computers connect instantaneously.
Then we decided to try to implement OTP-functionality using Azure MFA. We have downloaded the on-premises installation and configured a server with a couple of trial users synced from our Active Directory. It works flawlessly when using the portal and the
built-in tests on the MFA. We receive the text messages promptly and are granted access.
However when we tried to connect it to our DA-server things got weird.
First of all our DA-server refuses to recognize our Issuing CA even though it is domain joined and published in our Active Directory. It worked the first time we went through the wizard, but even since it just keeps saying that "no CA servers can be
detected". We ended up doing it the
powershell way and the Operations status shows no error. When we added the Issuing CA and the Radius Server (our MFA-server) as Infrastructure Servers we got an error message saying that "One or more IP addresses of management server cannot be
added because they are associated with the web probe URL" (which they don't).
We went ahead and started testing the OTP-functionality - assuming this was some strange bug as well. Following the
closest thing to a requirement specification
we could find from MS regarding the certificates required. Both with a Windows 8.1 Ent-client and a couple of Windows 7 Ent-clients but neither are getting any password prompts. We can see with wireshark and in the logs that the DAProbeUser can communicate
between the DA and the MFA. If we try to access the DaOTP-IIS-site we get a certificate error. The IIS-certificate is issued from the same trusted Root CA as the client certificate and all certificates are valid. The CRL:s are accessible both externally and
internally.
We are looking through the local computers OtpCredentialProvider logs but for the Windows 8.1-ones they are only saying Error 10001 (unable to send authentication information to daservername.domain.com error 12175). And for the Windows 7 clients we are getting
Error 10003 (Either private key cannot be generated or user cannot access certificate template on the DC. Which we verified that we can using the infrastructure tunnel only). No other IPv4 traffic seems to be communicated between the two servers according
to Wireshark.
We have also tried using our SafeNet on-prem RADIUS-solution but no traffic seem to get sent to that server neither.
So TL;DR:
- Can anyone provide the precise certificate requirements for setting up DA OTP?
- Are there any good tools for troubleshooting DA OTP-functionality?Hello Benoit,
Thank you for your reply. If we understood your blog post correctly then we are supposed to be able to access
https://daserver.domain.com/DAOTPvirtualdirectory/DAOTPAuth.dll and not get a 403.7
error-page, even if the back-end Radius isn’t fully functional yet?
The DA server has the OTP signing certificate (confirmed this on the issuing CA and the server’s computer certificate store), it renews this certificate once per day (as per the
guide for the templates on: http://technet.microsoft.com/en-us/library/hh831715.aspx)
We’re not seeing any errors on the AD CS server, no requests, no rejections (for the client certificates), but this could be due to the settings followed for the client template
on the TechNet guide (Do not store certificates and requests in the CA database)?
What do you mean with "IF OTP
signing certificate is not present on client-side, OTP authentication cannot work"? The signing certificate should be on the server side, or are we mistaken?
Also, according to
http://msdn.microsoft.com/en-us/library/hh536654.aspx
it is stated:
“2.The administrator establishes one or more implementation-specific<1>CA servers”
But other guides specifically mention that you can use your current CA environment and that you’re not required to install a dedicated CA for this particular task. -
Good day!
Could you please help me? How to deploy connection (Mac OS X Yosemite to Windows RDS) through the RD Gateway with Two Factor authentication on Session host? How to open an authentication dialog that is the same as in Windows when logging on to network resources
in Windows (Windows Security)?
Our test environment: We have one RDS 2012 R2 server (all roles in one) and one session host in collection. On the session host installed Safenet Network Logon and it under GPO which disable all authentication, only OTP.Hi Sir,
It seems that you are going to integrate 3rd party product into AD for authentication .
I would suggest you to contact the vendor of Safenet for this deployment scenario :
http://www.safenet-inc.com/multi-factor-authentication/authentication-management/safenet-authentication-manager-express-samx/
Best Regards,
Elton Ji
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] . -
Secure RD Web Access with Azure MFA
We are keen to deploy RD Web Access for external users but can't find any guidance on securing it with Multi-Factor Authentication (MFA - formerly PhoneFactor).
We currently use MFA with our RD Gateway for users who connect directly to VMs via RDP but want to give other users access to RemoteApps via RD Web Access with the same two factor authentication.
Cheers for now
RussellHi,
Thank you for posting in Windows Server Forum.
I am afraid that still there is no direct MFA for RD Web but need to login through RD Gateway which can access as follow. A Remote Desktop login request to RD Gateway that includes Azure MFA looks like this:
1. User logs into RD Web Access and double clicks a RemoteApp (or desktop connection)
2. The user’ login credentials for the website are used to validate the user (Web SSO), so no need to give them again.
3. The user then gets an SMS text message on their smart device that provides them a 6 digit numeric code (the one-time password).
4. The user replies to the text message by inputting this 6 digit code and adding their unique pre-defined PIN to the end of the sequence – Azure MFA includes the option to require the user know a predefined unique PIN as well, so that replies to a text message
have to come from the user.
5. The user is authenticated, and the RemoteApp (or desktop connection) opens.
More information.
Step By Step – Using Windows Server 2012 R2 RD Gateway with Azure Multifactor Authentication
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Dharmesh,
I owe you an apology, I'd forgotten that when you access RD Web Access you're only downloading an RDP file which then uses the RD Gateway to connect the client to the RemoteApp. If we already have the RD Gateway in place and configured with MFA this will
produce the required result.
Sorry
Russell
Maybe you are looking for
-
The provider is not compatible with the version of Oracle client
We are running Server 2012 64 bit with multiple homes one is 32 bit and the other 64 bit. We installed the 64 bit first then the 32 bit next in order to get our Classic ASP WebSite that is using COM+ and OLEDB to see the provider. C:\oracle\product\1
-
Mac OS 10.4.4 Application Server Will Not Start
Installed Mac 10.4.4 last night. The Applicaton Server worked for all my projects. Now I cannot start the Application Server in Creator or Creator 2 ea2. Another possible problem is that I was running both Creator and Creator 2 ea2 at the same time,
-
When attempting to open a hyperlink to a PDF file on the web from a Microsoft WORD for Mac 2011 (14.3.9) document, Safari 7.0 instead displays the file as text?
-
Why can't I transfer my apps to my new computer?
I have been having lots of troubles with my very old notebook so I purchased a new one when I got my new iPhone. I am not able to transfer my apps from my old computer onto my phone (and subsequently my new notebook). It tells me that this laptop isn
-
MySQL & PHP issues since upgrade
Little bit of background: I ran an arch server about two years ago, basically a personal web server (for about a year). Had apache, mysql and php running nicely on it using the basic configurations with some minor changes. Now, present day. I have