Passwords are not enough these days to protect someone from logging in as you. Many public websites have Multi-Factor Authentication (MFA) as an added layer to their normal login process. Microsoft, Yahoo, Google, Evernote, facebook and Twitter are just a few websites where you can enable MFA. There are also companies that offer MFA that integrates with a company’s infrastructure. Some popular names are Quest, SecureID, and PhoneFactor. Now that Windows Azure offers MFA it’s possible to incorporate MFA into systems that are located at a data center or offices while taking advantage of the cloud. This allows a company to implement MFA without having to rely on proprietary hardware that users have to carry around on their keyring. Even with low end cell phones MFA is possible. Also a company doesn’t need VPN to Azure, VMs on Azure, or host a website on Windows Azure. As long as the MFA server can talk to the internet MFA is possible.
As great as UAG is it’s even better with MFA. This blog will discuss how to incorporate Windows Azure MFA with UAG. Best practices, advanced topics, or discussion about the MFA server will not be discussed as they are out of scope for this blog. The purpose of this blog is to get MFA working bare bones with UAG where in the future it can be improved, modified, and tweaked. Some topics that won’t be covered are:
- Other authentication methods
- Differences in authentication
- Integration for Exchange/Outlook webmail
- Integration for websites
- MFA server redundancy
- Anything else
- A Windows Azure account
- A workstation or server that will be dedicated as the multi-factor authentication server
- A working UAG server
- Create a new multi-factor provider in Windows Azure by clicking new, app services, active directory, multi-factor auth provider, quick create. Name it and choose the usage model. Per enabled user charges a fee per user per month. Per authentication is a fee per authentication. Please refer to the current Windows Azure prices. It’s important to note that once a usage model is set it can’t be changed. For the directory make sure it’s set to do not link a directory. Click create.
- In a short amount of time the new multi-factor auth provider will be created.
- Highlight the new multi-factor auth provider and click manage.
- This will bring up a new window/tab. Notice how the URL is a phonefactor.net website. Click downloads.
- A list of servers and workstations the multi-factor authentication server can installed and ran on will be listed. It can be installed and ran on a server or workstation class machine. Click the download link to download the software.
- Once the software is downloaded copy it to the designated MFA server. A recommendation would be to access the website from the MFA server because some copying and pasting will need to be done from the website to the MFA application. Run the MFA software to install.
- Once finished a setup wizard will appear. Click next.
- For the email and password go back to the website where the software was downloaded. At the bottom of the webpage click generate activation credentials to get the activation email and password.
- Enter the email and password that was generated on the website and click next.
- Since this is a new install enter a new group name and click next.
- Click next as enabling replication between MFA servers is out of scope for this blog.
- Choose RADIUS as UAG will be a RADIUS client and MFA will be the RADIUS server.
- Enter the IP address of the UAG server with a secure shared secret. The authentication ports should be fine. If there are more than one UAG server RADIUS clients can be added at a later time in the MFA server. Click next.
- Windows credentials needs to be passed so choose windows domain and click next.
- Click next.
- Click finish
- MFA server will open up and the users section should be blank. In this example AD users will be imported so click import from active directory at the bottom of the window.
- There are many options but in this test AD environment there are only two users so clicking import will import both of those users.
- When the import is finished a summary window will appear. Click OK after reviewing it then click close in the import from active directory window.
- Two users were imported and both are disabled. For this blog we want to enable the user Adam, set a cell number(If AD is property populated this can be imported), and how to authenticate. To do this highlight the user and click edit.
- In the edit window put a check in enabled, enter a phone number with area code, and choose text message OTP. This will enable the account, assign a phone number, and send a text message where the user will have to reply with the one time password to authenticate. There are other methods but those are outside the scope of this blog. Click apply then close when finished.
- the user Adam is now enabled.
- Since this is a new implementation of MFA it’s recommended to test before continuing. To do so highlight the user and click test. A window will appear with the username and primary authentication filled in. Type in the password and click test.
- At this time a text message will be sent to the users cell phone. The message will say(123456 being random numbers)
”123456 Reply with this verification code to complete your sign in verification to Multi-Factor Authentication server.”
- If the user replies and Windows Azure receives the text message the window below will appear.
- If the user does not reply or Windows Azure does not receive it in time the window below will appear.
- Now that MFA is at least communicating with Windows Azure it’s time to configure UAG to use MFA.
- During the MFA setup the RADIUS client IP/Name, shared secret, and ports were configured. In UAG the authentication server needs to be changed from domain controller to RADIUS for the trunk that is being tested and worked with.
- In UAG create a new authentication server. The server type will be RADIUS, name it under server name, IP address/host will be the MFA server that was created, port should not need to be changed, type in the secret key, and check support challenge-response mode. Click OK then close.
- In the trunk remove the current authentication server and replace it with the RADIUS one that was just created. Click OK then activate the configuration in UAG.
- Test by navigating to the UAG trunk page, typing in the username and password, then click log on. A text message should be sent to the user’s cell phone that needs to be replied to. During this time the browser will be working but it won’t change screens. After Windows Azure receives the text message with the password in it the portal page should appear.
- Notice how the browser is working(spinning circle in tab) waiting for the text message reply.
- Windows Azure received the text message.
- Of course since the MFA process adds time to log in the RADIUS timeouts will need to be increased in UAG. This is true with most applications that will use MFA.
- The RADIUS application will need to be named in the MFA server so the text message will be more meaningful.
Technically it’s quite easy to add MFA to UAG.