WMUG 10th Anniversary Follow Up – Azure MFA
WMUG Attendees – Thank You
First of all I would like to thank everyone who made the effort to turn up to the WMUG 10th Anniversary event in Microsoft, Paddington last month. Community is without a doubt the best place to learn and share real world experiences.
Unfortunately near the end of the session that Terence Beggs (@TerenceBeggs) and I were running on Azure MultiFactor Authentication the demo gods struck and our datacenter ISP suffered a minor outage resulting in a flaky connection to our live demo infrastructure (lesson learned to bring the VM’s on my local machine the next time).
So as promised here is both a follow up and a recap on the subject of Azure MultiFactor Authentication, the installation documentation on this product is excellent (https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server/#install-and-configure-the-azure-multi-factor-authentication-server) so I won’t re-hash the same details but I will cover the key area’s.
A full run through of creating the MFA provider, installing the back-end server and demonstration of using MFA with an RD Gateway is included in the PowerPoint presentation from the link below;
What is Azure MultiFactor Authentication (MFA)?
Microsoft Azure Authentication is a product used to provide secondary authentication for systems both on-premise and in the cloud. Originally developed by a company called Phone Factor, the company was purchased in 2012 and re-branded / integrated into the Azure product stack in 2013.
MFA can be used purely as a cloud service with systems such as Office 365, SaaS apps and Azure App Proxy, for on premise applications including IIS, RDS and VPN systems there is an on-premise application and this is what I am going to focus on for this blog post.
For more information on the differences between MFA cloud vs on-premise visit https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started/
Where Do I Get Started?
MFA is available as both a pay as you use and subscription (OPEN/MPSA etc) service, the pay as you use model is particularly useful if you want to run the system as a proof of concept.
To sign up you will need a Microsoft Azure enabled account, you can create one and even take advantage of a free trial account with €170 of credit at https://azure.microsoft.com/en-us/free/ and pricing details are available from https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/.
I’ve Signed Up for an Azure Account.. Now Where Do I Go?
Adding the MultiFactor service to your Azure account could not be easier. Simple log onto the Azure management portal and click on the following;
- New App Service
- Active Directory
- Multi-Factor Authentication Provider
- Quick Create
At the last step you will be prompted as to the licensing model you wish to use, this can not be changed after this point so be careful when selecting. The choices are;
- Per Enabled User
- Per Authentication
If you change your mind post set up you must create a new MFA provider so although it is best to get this right the first time, it can be easily re-created if needed.
Downloading MFA On-Premise
Downloading the MFA on-premise server application is a straight forward process. Once your Azure MFA provider has been set up you simply log onto the portal and click on the Downloads link. On the Downloads page you will also have the ability to generate activation credentials, you will need these details to install the service (note that when you generate activation details they only last for 10 minutes for security purposes).
Planning Your MFA Deployment (Securely Publishing The Site)
Planning your MFA installation should take into account security factors for publishing resources over the public internet. Some examples of deployment scenarios are included within the PowerPoint slides, however you should always discuss these with your security team prior to implementation.
For the majority of installations the front end web portal should be published on a VM within your DMZ and access to the back-end MFA server provided via access control lists on your corporate firewall via ports 443 and 4898. An exception to this is whereby you are using a reverse proxy such as Pulse Secure SSL, F5, Citrix NetScaler, Barracuda, etc.
Note that you will also need to provide direct HTTPS (Port 443) access to the following IP addresses for communications with the Azure MFA service;
- 184.108.40.206 – 220.127.116.11
- 18.104.22.168 – 22.214.171.124
- 126.96.36.199 – 188.8.131.52
To publish the MFA portal you will also need a trusted CA signed certificate. Personally I am using a previously purchased wild card cert but certificates are cheap these days, so visit your trusted CA site (GoDaddy for example) and obtain your internet facing SSL cert.
Installing Your MFA Back-End Application Server
- .Net Framework 4.5
- KB 2919355 on Server 2012 R2 (https://support.microsoft.com/kb/2919355)
The updates must be installed in the following order: clearcompressionflag.exe, KB2919355, KB2932046, KB2959977, KB2937592, KB2938439, and KB2934018
Once you have ensured all pre-requisites are installed, installing the app server component is very straight forward.
Installing the User Portal, Web SDK and Mobile App Portal
During the post installation configuration stage you must install the user portal components to allow users to self enroll and manger their MFA account.
The User and Web Service SDK portals are installed directly within the MFA console, however if you wish to use the Azure Authenticator app for verifying your user sessions you will need to install the Mobile App Web Service portal manually from the following location;
C:\Program Files\Multi-Factor Authentication Server\MultiFactorAuthenticationMobileAppWebServiceSetup64.msi
Modifying Portal Configuration XML
Depending on the final design of your deployment you will have to modify a number of the Web.Config IIS configuration files so that the portals are externally accessible and a privileged service account which is a member of the PhoneFactor Admins security group is used for authenticating with the MFA back end server.
- MultiFactorAuthMobileAppWebServiceHere you will need to edit the following sections;
<add key=”WEB_SERVICE_SDK_AUTHENTICATION_USERNAME” value=”DOMAIN\Service-Account-Name” />
<add key=”WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD” value=”Password” /><setting name=”pfpaws_pfwssdk_PfWsSdk” serializeAs=”String”>
- WebServiceSDKEdit the following;
<identity impersonate=”true” password=”Password” userName=”DOMAIN\Service-Account-Name” />
Verifying Mobile App Configuration
Once you have configured your XML files and opened the required firewall ports (443, 4898), you should test communications between your front end web server and back-end MFA server.
To do so log onto your front end web server and open the following URL : https://localhost/MultiFactorAuthMobileAppWebService/
Click on TestPfWsSDKConnection and click on the Invoke Button to check communications / security between the two servers.
If successful you should see the following XML string returned;
<?xml version=”1.0″ encoding=”UTF-8″?>
Branding Your MFA Portal
If you want to change the look of the MFA portal, this can be achieved by copying the entire default theme located in C:\inetpub\wwwroot\MultiFactorAuth\App_Themes and place it in the same directory. Now edit the Web.Config file located in the C:\inetpub\wwwroot\MultiFactorAuth directory and edit the following section;
<pages theme=”Default” controlRenderingCompatibilityVersion=”3.5″ clientIDMode=”AutoID”/>
<pages theme=”Your_New_Theme” controlRenderingCompatibilityVersion=”3.5″ clientIDMode=”AutoID”/>
A Final Note – Changes On The Way For The Azure Authenticator App
On August 15th Microsoft is releasing an updated version of the mobile app, they will be re-branding it as “Microsoft Authenticator” and the update will apply to existing installations of the Azure Authenticator app.
The new app brings a complete refreshed design along with these key features;
- Support for wearable devices
Both the Apple Watch and Samsung Gear will be supported
- Finger Print Approval
Use your finger print instead of your passcode
- Certificate Based Authentication
Enterprises can utilise their PKI to deploy codes and remove the need for pass-codes
More information is available on Technet at https://blogs.technet.microsoft.com/enterprisemobility/2016/07/25/microsoft-authenticator-coming-august-15th/
If you have any questions regarding the setup, implementation or any aspect of Azure MFA please feel free to reach out and I will do my best to help you out.