Azure Multi-Factor Authentication server
Thinking of multi-factor authentication as a service is powerful and can open the door for many business opportunities. Multi-factor authentication as a service is simply consuming the second factor from the cloud, so that your on-premises applications and cloud workloads can both use the same multi-factor authentication platform. Azure Multi-Factor Authentication or Azure MFA is Microsoft’s two-step verification solution that helps safeguard access to data and applications. Azure Multi-Factor Authentication server extends Azure MFA cloud solution to help you protect on-premises applications with the same cloud service.
Azure Multi-Factor Authentication server
While Azure MFA can help you protect your cloud workloads through Azure Active Directory, it can also help you protect your on-premises applications by deploying Azure multi-factor authentication server on premise.
Think of the Azure Multi-Factor Authentication server as an endpoint that listens from one side to your applications, and communicate from the other side with Azure multi-factor authentication services using https. On-premise applications can communicate with the Azure Multi-Factor Authentication server using many protocols. For example, you can configure your VPN server to use the MFA server as the RADIUS server, and right away, you would have a multi factor authentication solution for your VPN clients. Azure Multi-Factor Authentication server usually connects to your Active Directory to pull the mobile number for your users, or you can supply mobiles numbers manually. The MFA server will then communicate with the Azure cloud services and send the mobile number along with the user name, so that the second factor authentication can take place.
Azure Multi-Factor Authentication server acts as a proxy between your applications that need two factor authentication, and Azure multi-factor authentication service. When you install Azure MFA sever on-premises, two portals get installed:
- Mobile App Portal, that is used to enable mobile app authentication.
- Self Service Portal, that is used by users and administrators to manage their multi-factor authentication profiles.
Let us assume that you have Active Directory where all your user accounts are hosted with their mobile numbers.
Now, if you are deploying a VPN server and you want your remote clients to connect with two-factor authentication, then you can deploy Azure MFA server on-premises.
Azure Multi-Factor Authentication server can be configured to connect to your Active Directory and sync your user accounts and their mobile numbers.
From the other side, most VPN servers offer RADIUS support. You can configure your VPN server to use the Azure MFA server on-premises as the RADIUS server, as it listens to RADIUS ports. From the VPN server perspective, Azure Multi-Factor Authentication server is just another RADIUS server.
Now, let us see how users will connect in this setup. They will dial your VPN server, which will ask the RADIUS server to carry on the authentication. The RADIUS server in this case is your Azure MFA Server. Azure MFA server will challenge the user with username and password, and will contact the local Active Directory for verification.
After successful username and password authentication, Azure MFA server will proceed with the second factor authentication. It will connect to Azure multi-factor authentication service in Azure, give it the username, his mobile number, and the second factor authentication preference (sms, call, mobile app).
Azure MFA service will then challenge the user through his second factor authentication preference, and after successful second factor authentication, Azure MFA cloud service will return to the on-premises Azure MFA server a success signal. Azure MFA server on-premises will then return a success signal to the VPN server, which means the user has been authenticated.
If you have IIS server that you want to secure, there is IIS plugins where the request to the web page is intercepted by the MFA plugins. The plugin will authenticate the user using multi-factor authentication. If the authentication did not work, the plugins will send a denial page back to the requester. I guess that for this to work, you must install the MFA server in the IIS server itself.
There is an option Cancel and Report Fraud, which is very interesting. Suppose you are at home watching TV, and out of nowhere, you receive such verification message on your Azure MFA mobile app. This means that someone is trying to authentication on your behalf. Since MFA server will not try the second authentication method until it verifies the username and password, this means that someone else has successfully logged on using your credentials, and he reached phase two of the multi-factor authentication process.
By clicking report fraud, not only the request will be denied, but also puts a block on your user in the cloud service, so that the cloud service will not continue send push notification for coming fraud requests. You can also as an administrator, enable SMTP notification to notify a group of people for fraud reporting cases.
Azure Multi-Factor Authentication server Deployment
Download the bits
First of all, you should have an Azure account, you can sign up for free account here. Logon to the Azure portal and go to Active Directory on the left menu, then select MULTI-FACTOR AUTH PROVIDERS at the top, and then select NEW at the bottom.
Go to APP SERVICES > ACTIVE DIRECTORY> MULTI-FACTOR AUTH PROVIDER> QUICK CREATE.
Create a descriptive name like (Corporate Pilot) in my case, choose the usage model (Per Enabled User or Per Authentication), and choose (Do not link a directory) since we are evaluating the MFA Server without having an AD in Azure yet.
The option (Do not link a directory) means that we do not have Azure Active Directory with our AD accounts synchronized there. So if you already have Azure Active Directory and you want to enable MFA for those cloud accounts, then you should choose to link the MFA to directory.
After that, click Manage at the bottom to open the MFA management portal.
Here you will be redirected to the MFA management portal, click Downloads, and then download the MFA server.
Also, you have to click on Generate Activation Credentials. Those credentials are valid for short period of time, and you can come back any time to regenerate them without any extra cost or damage. This code is used to activate Azure Multi-Factor Authentication server, when you start installing it.
Before installing the MFA server
The installation of the Azure Multi-Factor Authentication server consists of the following:
- The installation of the MFA server and management console.
- The installation of three web services:
- User Portal
- Mobile App service
The user portal is an IIS site that your users can log on to, and perform many tasks like:
- Change their mobile number that MFA server will use to perform the second factor authentication. You can configure the MFA server to sync mobile numbers from AD and not allow users to change their mobile numbers via this portal.
- Set couple of security questions. These questions can be used by an IT Operator to verify the identity of the user, if the user calls the help desk and ask him to change the second factor method (mobile app notifications instead of mobile call for example)
- Activate their mobiles so that they can receive notifications in case of mobile app options.
The SDK service is used for custom integration with Azure Multi-Factor Authentication server, and it is must be installed if you want to use the mobile app notification feature, as the mobile app service will connect to the SDK IIS virtual directory to connect to the MFA server.
The mobile app service is the service that mobile apps connect to, to submit the verification. This service should be published externally and should resolve to external DNS name.
You can install the portals in different server than the Azure Multi-Factor Authentication server itself. For simplicity, I will choose to install the MFA server and the three portals onthe same Windows 2012 R2 machine.
Installing the MFA server
I will be using Windows 2012 R2 server for my Azure Multi-Factor Authentication server and portals. Now that you have downloaded the Azure MFA server, run the installation wizard, and click next until it is installed. No conflagration needed at this time.
You can check the hardware and software requirements from Microsoft TechNet documentation.
Now open the MFA console and activate the product using the activation keys you obtained from the Azure management portal, when you downloaded the Azure Multi-Factor Authentication server bits. Make sure the server can connect to internet using http/https for the activation to work. Also make sure the server always can connect to internet using these ports, as the server needs to connect to Azure for every authentication request verification.
Installing Azure MFA user Portal
The user portal is an IIS web site to allow users to enroll in Azure MFA server and maintain their accounts. Mainly, users can log on there, and choose if they want the second factor to be a phone call, SMS, or push notification on the mobile app. Also, you can give users the ability to change their phone number if you want.
You can install the user portal on a different server than the MFA server, but for simplicity, I recommend installing all portals on the MFA server itself. Here is a link that can help you with installation steps for more complex deployments.
You should have IIS installed including asp.net and IIS 6 meta base compatibility for IIS 7 or higher. During the installation of the user portal, a security group is created in AD, so make sure the account that is used to install the user portal can create security group in AD.
To install the user portal, open the MFA Server management console, go to the user portal node and check the settings available. Click Install User Portal when you are comfortable with the settings.
The user portal installation wizard will do the following:
- Security group in AD, placed under the built in Users container, called PhoneFactor Admins.
- User account called named PFUP_MFAServerName, where MFAServerName is the name of the MFA server.
- Adds the previously created account to the previously created security group.
Next, you will be prompted with the IIS web site to use (leave as default), and the virtual directory for the user portal. I usually change this to “Enroll” so that users will browse to https://servername/enroll instead of https://servername/MultiFactorAuth.
Now open IIS, you can see the virtual directory called Enroll. This is where end users will connect to manage their MFA profiles. For me, I also created a certificate and enforced HTTPS for the whole web site.
Install the MFA SDK
The SDK should be secured with SSL. Installing it is straight forward. Just open the MFA management console, go to Web Service SDK, and then run the installation. I will install it on the MFA server itself as we did with the user portal.
You may need to install Basic Authentication feature before you move on.
If you open IIS, you can see the SDK virtual directory.
Install the MFA Mobile App Web Service
You should install the MFA SDK before proceeding with the MFA mobile app web service. I will install the MFA mobile app web service on the same server also.
To start the installation, go to C:\Program Files\Azure Multi-Factor Authentication, choose the 32 or 64 bit installation file (MultiFactorAuthenticationMobileAppWebServiceSetup64) , and tun the installation file, change the virtual directory if needed.
I usually change the virtual directory to something like PA (stands for Phone App) instead of the long default one. Now go to your AD, and reset the account the is created by the wizard during the user portal deployment (the account that is member of the PhoneFactor admins group that gets created when you ran the installation wizard).
Now browse to C:\inetpub\wwwroot\PA (or appropriate directory based on the virtual directory name), and edit the web.config file. Enter the user account that you have reset, and the password between the quotes in shown in the below section. It is recommended to use a qualified username (e.g. domain\username or machine\username).
Next change the URL shown below to your SDK virtual directory. Example is: https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
Deployments tips and tricks
Mobile app offline one time password
The Azure Multi-Factor mobile app servers two things:
- Push notification: where you receive a push notification and you can click Verify, Cancel, or Cancel and report fraud.
- Offline OTP (one time password) that is changed every couple of seconds.
So the question is how to use the offline OTP? I have implemented a solution where I could use the offline OTP. To do this, the user should be configured with OATH token as shown in the below figure.
I am using Citrix NetScaler as a VPN gateway, I configured the vpn gateway to use the MFA server as the RADIUS server. Doing so, when a user is trying to connect to the NetScaler Gateway, he will be prompted with a username and password.
After a successful username and password verification, the user will be prompted to enter the OTP:
The user will open the Azure MFA mobile app, and will enter the OTP. This one time password is generated offline and keep changing with time:
What is nice about using OTP is that you do not need an internet connection on your mobile to complete the second factor authentication. If you are traveling and you do not have an internet connection on your mobile, you can use OTP.
To use OTP for the mobile app instead of push notification method that requires internet connection, the application that is requesting the multi-factor authentication should prompt users to enter the OTP. For example, if you are using Microsoft RRAS as your VPN solution, and the native VPN client on Windows, you cannot use the OTP, because the VPN client that comes with Windows does not know how to prompt for OTP after successful username and password verification.
Microsoft RRAS as a VPN solution
In this section, I will be showing you how to use Microsoft RRAS as your VPN solution, and connect to the MFA server as your RADIUS server to accomplish two-factor authentication. The RRAS server is running on Windows 2012 R2, and the VPN client will be using SSTP as the VPN protocol.
The following configuration are made to NPS. First, configuring the Connection Request Policy to point to the MFA server as the RADIUS server
Next is configuring the Network Policy with PAP as the authentication method. We are using PAP because we need the credentials to be sent to the VPN server, and then to the MFA server and we need the actual credentials not their hashes. Do not panic, as we are using SSTP as our VPN tunneling protocol, which uses https to secure the transmission. PAP authentication packets are protected inside the SSL tunnel.
Now open the RRAS console, configure the Authentication Methods as PAP, and configure a certificate for SSTP:
Finally, to enforce SSTP as the only tunneling protocol, go to Ports node, right click and click Properties, and configure the number of ports as shown below [for all ports except SSTP and PPTP, configure zero ports, and one port for PPTP]
Let us move to the client side. When a Windows client tries to connect to RRAS, it should be configured with PAP as the authentication method:
When you connect, the PAP credentials will be secured via the SSL tunnel, and then the MFA server will encrypt the credentials before sending them to the on-premises MFA server as shown in my trace:
The only thing you should worry about, is that the Microsoft VPN client on Windows client will time out quickly before the two-factor authentication finishes, a registry hack on the client may solve this issue to extend the time out:
Change this to 60 for example. Also be sure to change RADIUS timeouts in RRAS to at least 30-45 seconds or you’ll beget an error.