Setup On Premise Multi Factor Authentication

In this blog post we are going to install and configure Multi Factor Authentication for on premise purposes. I will divide it a couple of sections.

• Setup Azure MFA Provider and install first server (this post)
• Configure ADFS MFA integration
• Configure User Portal
• Install MFA Mobile and Web Service SDK
• Test case: Configure Remote Desktop Gateway to use Multi-Factor Authentication.

Ok let’s roll…

in the last post I explained how to enable Multi Factor Authentication Provider in Azure Portal. Now lets enter it and choose manage:

You enter the PhoneFactor Portal:

Click the Downloads button to download the Server Agent

This will download the MultiFactorAuthenticationServerSetup.exe and save it to copy it later to the MFA Server.

Log in on the MFA server and install .NET Framework 3.5:

After .NET is completed copy and run the installer:

Click next:

It will install files needed and when ready choose finish.

And we are done with the server install.

I prefer to skip the wizard and configure components manually so I choose to check the box and choose next.

Go back to the Azure Portal and select manage multifactor provider:

Then under download settings you have the option to generate an activation code:

Enter the activation details in the MFA server tool and click activate:

After activation I choosed to use the default group, you can create your own groups if you want:

To enable multi server you need to enable replication. I will show this in a later post how to configure it.

And the console is ready to configure:

Now we installed the first Multi Factor Authentication server and can configure components in the portal.

First thing I change is that disabled, but imported users who are disabled, are succeeded login. I want to force users first to setup their multifactor authentication through the userportal or otherwise to fail authentication. To do this go to company settings and change the setting from “succeed authentication when user is disabled” to fail authentication.

There are different authentication settings to choose from. Make sure you select the correct and allowed authentication methods in company settings. For example, if you plan to use Remote Desktop Gateway dont enable OATH, because Remote desktop gateway cannot give back a prompt to enter the response code. Think about the solutions you wish to provide and enable them.

Reset / re-assign Azure – MFA Tool

To reset activation or move it to another subscription go to %PROGRAM FILES%\Multi-Factor Authentication Server\Data. Move all content to a temp folder on your desktop for example. Then start the tool again. It will prompt for activation again. This are the same steps as the first time wizard explained earlier in this blog post. Be carefull when you decide to migratie your MFA provider to another Azure subscription. You might lose some settings configured.

In next post we will discuss the ADFS adapter integration to allow users to enroll their MFA trough ADFS web login.