-
Deploy a Self-service Password Reset Portal on a Windows Server
-
MFA Provider Installation Requirements
NOTE: For security reasons end user devices with “WIN OTP Provider” installed doesn’t allow to enrol user for TOTP account. Please check “OTP Account Creation for Users” section for more details.
Before you can start using MFA authentication on Windows OS you must deploy “SecureMfa WIN OTP Provider” on Windows device. All commands must be executed in elevated PowerShell (PS) command prompt.
1) Deploy latest “SecureMfa_WIN_OTP” PowerShell module from Microsoft PSGallery using bellow PS command:
Install-Module -Name SecureMFA_WIN_OTP -Repository PSGallery -Scope AllUsers
NOTE: As of April 2020, the PowerShell Gallery no longer supports lower than 1.2 TLS protocol. Hence if your servers don’t have GPO changes to reflect this requirement you may need manually to enforce TLS 1.2 for PowerShell session by using bellow command
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
If your server/workstation doesn’t have access to the Internet you can pull PowerShell module from Windows client which has Internet access using bellow PS command:
Find-Module -Name “SecureMFA_WIN_OTP” -Repository “PSGallery” | Save-Module -Path “C:”
Copy C:SecureMFA_WIN_OTP folder from client’s computer into “C:Program FilesWindowsPowerShellModulesSecureMFA_WIN_OTP”
As alternative you can download “SecureMFA_WIN_OTP” nupkg file manually from https://www.powershellgallery.com/ website. Rename nupkg file’s extension into ZIP. Unzip content into a folder “SecureMFA_WIN_OTP” and place it into PS Modules default location on the server. That will work the same way as pulling package with native windows PS Tools.
2) Before authentication provider will be invoked by Windows, it must be registered in the system. with PowerShell command which performs the necessary installation actions including installation into the GAC, and registration with DCOM interfaces which are required for authentication.
Bellow command installs SecureMFA WIN OTP Provider on Windows for RDP sessions only (Console access is not affected) and points provider to API endpoint URL which is used for OTP codes validations. To lock down Windows OS with MFA for all sessions you must use -RDPonly $false parameter. Anchor parameter specifies OTP user’s suffix which is used in “SecureMfaOTP” database.
Install-SecureMFA_WIN_OTP_AuthenticationProvider -anchordnsname “adatum.labnet” -RDPonly $true -api_endpoint “https://awebapi.adatum.labnet/api/securemfaotp”
Available parameters:
“anchordnsname” – Anchor parameter specifies TOTP user’s suffix which is used in “SecureMfaOTP” database.
“serialkey” and “subscriptionid” – details to license adapter, it unlocks licensed provider features.
“api_endpoint” – SecureMFA WEB API Portal API endpoint.
“api_timeout” – Timeout value in milliseconds for API response.
“sspr_url” – Self-service password portal (SSPR) URL for corporate users which will be used by provider for “Change Password” link. IF parameter has not been set during the provider’s install it will use a host part from API endpoint URL for the default SSPR Portal address URL.
“RDPonly” – (True/False) Enable only RDP session for MFA on the device.
“totp_offline_secret_valid_days” – How long offline secret synchronization is valid for TOTP authentication before user must resynchronise data from SecureMFA WEB API Portal API endpoint. 0 – disables offline authentication feature.
“totp_offline_ui_login_failures” – When offline authentication feature is enable, this counts number of failed OTP logon attempts before TOTP user is locked for number of minutes which are set under “totp_offline_ui_lockout_minutes” . 0 – disables disabled TOTP user lockout feature.
“data_encryption_passphrase” – A passphrase which is used to decrypt API responses and local data which is used for offline authentication. This setting only works for licensed adapters and all unlicensed providers will use following passphrase for encryption and decryption operations: “d9GhT=7=Ox8-+LaZ”,
“api_headers_value” – random string value which is used for header authentication against SecureMFA WEB API Portal API endpoint.
“api_proxy_enable” – (True/False) Allows to set proxy name for API calls if required.
“api_proxy_server” – If proxy enable FQDN for proxy name.
“api_proxy_port” – If proxy enable port number for proxy.
“verboselog” – (True/False) Enables verbose logging for provider on installed system.
To verify if “SecureMfa WIN OTP Provider” has been installed successfully.
RDP into your workstation and confirm that you require to enter TOTP code together with your standard credentials.