Microsoft Unified Access Gateway 2010 using Microsoft Windows Azure for Multi-Factor Authentication

Passwords are not enough these days to protect someone from logging in as you.  Many public websites have Multi-Factor Authentication (MFA) as an added layer to their normal login process.  Microsoft, Yahoo, Google, Evernote, facebook and Twitter are just a few websites where you can enable MFA.  There are also companies that offer MFA that integrates with a company’s infrastructure.  Some popular names are Quest, SecureID, and PhoneFactor.  Now that Windows Azure offers MFA it’s possible to incorporate MFA into systems that are located at a data center or offices while taking advantage of the cloud.  This allows a company to implement MFA without having to rely on proprietary hardware that users have to carry around on their keyring.  Even with low end cell phones MFA is possible.  Also a company doesn’t need VPN to Azure, VMs on Azure, or host a website on Windows Azure. As long as the MFA server can talk to the internet MFA is possible.

 

As great as UAG is it’s even better with MFA.  This blog will discuss how to incorporate Windows Azure MFA with UAG.  Best practices, advanced topics, or discussion about the MFA server will not be discussed as they are out of scope for this blog.  The purpose of this blog is to get MFA working bare bones with UAG where in the future it can be improved, modified, and tweaked.  Some topics that won’t be covered are:

  • Other authentication methods
  • Differences in authentication
  • Planning
  • Integration for Exchange/Outlook webmail
  • Integration for websites
  • LDAP
  • MFA server redundancy
  • Anything else

 

Prerequisites:

  • A Windows Azure account
  • A workstation or server that will be dedicated as the multi-factor authentication server
  • A working UAG server

 

Rough Steps:

  • Create a new multi-factor provider in Windows Azure by clicking new, app services, active directory, multi-factor auth provider, quick create.  Name it and choose the usage model.  Per enabled user charges a fee per user per month.  Per authentication is a fee per authentication.  Please refer to the current Windows Azure prices.  It’s important to note that once a usage model is set it can’t be changed.  For the directory make sure it’s set to do not link a directory. Click create.
    screenshot.205
  • In a short amount of time the new multi-factor auth provider will be created.
    screenshot.206
  • Highlight the new multi-factor auth provider and click manage.
    screenshot.207
  • This will bring up a new window/tab.  Notice how the URL is a phonefactor.net website.  Click downloads.
    screenshot.208
  • A list of servers and workstations the multi-factor authentication server can installed and ran on will be listed.  It can be installed and ran on a server or workstation class machine.  Click the download link to download the software.
    screenshot.209
  • Once the software is downloaded copy it to the designated MFA server.  A recommendation would be to access the website from the MFA server because some copying and pasting will need to be done from the website to the MFA application.  Run the MFA software to install.
    screenshot.210
    screenshot.211
    screenshot.212
  • Once finished a setup wizard will appear.  Click next.
    screenshot.213
  • For the email and password go back to the website where the software was downloaded.  At the bottom of the webpage click generate activation credentials to get the activation email and password.
    screenshot.214
    screenshot.215
  • Enter the email and password that was generated on the website and click next.
    screenshot.216
  • Since this is a new install enter a new group name and click next.
    screenshot.217
  • Click next as enabling replication between MFA servers is out of scope for this blog.
    screenshot.218
  • Choose RADIUS as UAG will be a RADIUS client and MFA will be the RADIUS server.
    screenshot.219
  • Enter the IP address of the UAG server with a secure shared secret.  The authentication ports should be fine.  If there are more than one UAG server RADIUS clients can be added at a later time in the MFA server.  Click next.
    screenshot.220
  • Windows credentials needs to be passed so choose windows domain and click next.
    screenshot.221
  • Click next.
    screenshot.222
  • Click finish
    screenshot.223
  • MFA server will open up and the users section should be blank.  In this example AD users will be imported so click import from active directory at the bottom of the window.
    screenshot.224
  • There are many options but in this test AD environment there are only two users so clicking import will import both of those users.
    screenshot.225
  • When the import is finished a summary window will appear.  Click OK after reviewing it then click close in the import from active directory window.
    screenshot.227
  • Two users were imported and both are disabled.  For this blog we want to enable the user Adam, set a cell number(If AD is property populated this can be imported), and how to authenticate.  To do this highlight the user and click edit.
    screenshot.229
  • In the edit window put a check in enabled, enter a phone number with area code, and choose text message OTP.  This will enable the account, assign a phone number, and send a text message where the user will have to reply with the one time password to authenticate.  There are other methods but those are outside the scope of this blog.  Click apply then close when finished.
    screenshot.230
  • the user Adam is now enabled.
    screenshot.231
  • Since this is a new implementation of MFA it’s recommended to test before continuing.  To do so highlight the user and click test.  A window will appear with the username and primary authentication filled in.  Type in the password and click test.
    screenshot.232
  • At this time a text message will be sent to the users cell phone.  The message will say(123456 being random numbers)
    ”123456 Reply with this verification code to complete your sign in verification to Multi-Factor Authentication server.”
    wp_ss_20131215_0002
    screenshot.233
  • If the user replies and Windows Azure receives the text message the window below will appear.
    screenshot.234
  • If the user does not reply or Windows Azure does not receive it in time the window below will appear.
    screenshot.235
  • Now that MFA is at least communicating with Windows Azure it’s time to configure UAG to use MFA.
  • During the MFA setup the RADIUS client IP/Name, shared secret, and ports were configured.  In UAG the authentication server needs to be changed from domain controller to RADIUS for the trunk that is being tested and worked with.
  • In UAG create a new authentication server.  The server type will be RADIUS, name it under server name, IP address/host will be the MFA server that was created, port should not need to be changed, type in the secret key, and check support challenge-response mode.  Click OK then close.
    screenshot.238
  • In the trunk remove the current authentication server and replace it with the RADIUS one that was just created.  Click OK then activate the configuration in UAG.
    screenshot.239
    screenshot.240
    screenshot.241
  • Test by navigating to the UAG trunk page, typing in the username and password, then click log on.  A text message should be sent to the user’s cell phone that needs to be replied to.  During this time the browser will be working but it won’t change screens.  After Windows Azure receives the text message with the password in it the portal page should appear.
    wp_ss_20131215_0002
    screenshot.244
  • Notice how the browser is working(spinning circle in tab) waiting for the text message reply.

    screenshot.245

  • Windows Azure received the text message.
    screenshot.246
  • Of course since the MFA process adds time to log in the RADIUS timeouts will need to be increased in UAG.  This is true with most applications that will use MFA.
  • The RADIUS application will need to be named in the MFA server so the text message will be more meaningful.

 

Summary

Technically it’s quite easy to add MFA to UAG.

How to change an Azure VM RDP public port number

Tonight I decided to connect to my Microsoft Windows Azure environment from a hotel to test a few things.  When I tried to connect via RDP I was unable to successfully connect. 

  • I signed into my Azure account.
  • I chose my VM.
  • I clicked connect.

screenshot.143

  • I chose to open the RDP file.

screenshot.144

  • I clicked connect at the security warning.

screenshot.145

  • It hung for a while at connecting to.

screenshot.146

  • Eventually I got the typical remote desktop can’t connect to the remote computer for one of these reasons error.  

screenshot.147

  • This was odd as the VM is on and I had internet access.  I decided to look at the endpoints.  I noticed the public endpoint for RDP was an Azure typical high random public port number.  I wondered if there was something at this hotel that was blocking outbound access on that high port number. 

screenshot.148

  • I decided to edit the RDP public port number by clicking edit.

screenshot.149

  • I changed the port number to something lower(from 55220 to 20309).

screenshot.150

  • Azure updating.

screenshot.151

  • Azure updated.

screenshot.152

  • Now the public RDP port number was a little lower. 

screenshot.153

  • I went through the same steps to RDP to my Azure VM.
  • Connect

screenshot.154

  • Open the RDP file.

screenshot.155

  • Connect anyway in the security warning box.

screenshot.156

  • It tried to connect on that lower port number.

screenshot.157

  • It worked!

screenshot.158

 

Sometimes you can’t control or even know about the environment you’re at but it’s always nice to know you can change some things in Azure to get around it. 

Microsoft Windows Azure PowerShell updated

Microsoft updated Azure PowerShell on Thursday, November 7, 2013 with version 0.7.1.  If you have an older version you might want to upgrade using the link below.

https://github.com/WindowsAzure/azure-sdk-tools/releases

Regression fixes
Get-AzureWinRMUri cannot return the correct port number (#2056)
New-AzureVM fails when creating a VM with a domain join provisioning (#2055)
ACL for endpoints broken (#2054)
Restarting web site will clean the host names (#2101)
Creating a new Linux VM with an SSH certificate fails (#2057)
Debug stream only prints out at the end of processing (#2033)

Cmdlets for creating Storage SAS token
New-AzureStorageBlobSASToken
New-AzureStorageContainerSASToken
New-AzureStorageQueueSASToken
New-AzureStorageTableSASToken

VM cmdlets for Windows Azure Pack
Get-WAPackVM
Get-WAPackVMOSDisk
Get-WAPackVMSizeProfile
Get-WAPackVMTemplate
New-WAPackVM
Remove-WAPackVM
Restart-WAPackVM
Resume-WAPackVM
Set-WAPackVM
Start-WAPackVM
Stop-WAPackVM
Suspend-WAPackVM

image

One does not simply upload a VM to Azure

Meme created by my co-worker Clay More.  I would point you to his website/blog but he doesn’t have one.clip_image002

I love the above meme and it’s true.  Uploading a virtual machine (VM) to Azure is not as simple as one would think.  The information below basically explains how to upload a sysprepped VM template to Azure.  This template can be used to create future VMs.  I’m assuming you have basic knowledge in creating self-signed certificates, installing software, and a few other things. 

First before you do anything make note that Azure does not currently support the new VHDX format introduced in Microsoft Windows 2012.  This may change in the future but today just plan on using the VHD format.  If you already have a VM in the VHDX format you can convert it using Hyper-V Edit Disk.
clip_image003

Before you even attempt to upload a VM to Azure there are a bunch of steps you need to do first. 

If you have not uploaded a management certificate to Azure you need to do this first.  These certificates are used by the SDK tools, the Windows Azure Tools for Microsoft Visual Studio, and the Windows Azure Service Management REST API. These certificates are independent of any hosted service or deployment meaning if you want to manage Azure you need management certificates. 

There are various ways to generate a management certificate.  In my example I created a self-signed cert by using IIS.

Once you generate a self-signed cert in IIS it automatically puts it in Certificates (Local Computer)-Personal-Certificates.  Since you’ll be using the CSupload.exe command you need to get this cert in YOUR Current User-Personal-Certificates container in the certificates MMC.  I did it by going in Certificates (Local Computer)-Personal-Certificates, double clicking on the self-signed cert, clicking the Details tab, then clicking on copy to file.  It walks you through a wizard where you can save it without the private keys as a CER file.  From there you import that cert file to Certificates-Current User-Personal-Certificates container.

The next step would be to export that cert with the private keys to a PFX file. This will be the file that you upload to the Azure by using the portal page.
clip_image004

Once you upload your certificate copy the subscription identifier and thumbprint for the certificate you just uploaded. You can get that information from the portal page.
clip_image005

Now you can open the Windows Azure Command Prompt.
clip_image006

The first thing you need to do is to set the connection info. Below is the command I used (I changed a few letters and numbers so you don’t know my real subscription ID or Certificate Thumbprint).
csupload.exe set-connection "SubscriptionID=ABC-123;CertificateThumbprint=XYZ789;ServiceManagementEndpoint=https://management.core.windows.net"

Now we’re ready to upload our sysprepped image. For the destination you have to visit the Azure portal and go into storage go get the URL of your blob storage. I used the command below changing blob URL so you don’t know what mine is. BE SURE TO CHANGE THE BLOB FROM HTTP TO HTTPS OR YOU WILL GET A WARNING.
csupload Add-PersistentVMImage -Destination "https://portalvhdabc123.blob.core.windows.net/VHDS/sys.vhd" -Label "2012 Sys Prepped" -LiteralPath "C:vmssys.vhd" -OS Windows
clip_image007

Depending on your upload bandwidth in a few minutes or hours (in my case) your image is in Azure!
clip_image008

Create a self-signed certificate in IIS
http://technet.microsoft.com/en-us/library/cc753127(v=WS.10).aspx

CSupload commands
http://msdn.microsoft.com/en-us/library/windowsazure/gg466228.aspx