Setup On Premise Multi Factor Authentication

In this blog post we are going to install and configure Multi Factor Authentication for on premise purposes. I will divide it a couple of sections.

Ok let’s roll…

in the last post I explained how to enable Multi Factor Authentication Provider in Azure Portal. Now lets enter it and choose manage:

 

image

You enter the PhoneFactor Portal:

image

Click the Downloads button to download the Server Agent

image

This will download the MultiFactorAuthenticationServerSetup.exe and save it to copy it later to the MFA Server.

Log in on the MFA server and install .NET Framework 3.5:

image

After .NET is completed copy and run the installer:

image

Click next:

image

It will install files needed and when ready choose finish.

image

And we are done with the server install.

image

I prefer to skip the wizard and configure components manually so I choose to check the box and choose next.

image

 

Go back to the Azure Portal and select manage multifactor provider:

image

Then under download settings you have the option to generate an activation code:

image

 

Enter the activation details in the MFA server tool and click activate:

image

After activation I choosed to use the default group, you can create your own groups if you want:

image

To enable multi server you need to enable replication. I will show this in a later post how to configure it.

image

And the console is ready to configure:

image

Now we installed the first Multi Factor Authentication server and can configure components in the portal.

First thing I change is that disabled, but imported users who are disabled, are succeeded login. I want to force users first to setup their multifactor authentication through the userportal or otherwise to fail authentication. To do this go to company settings and change the setting from “succeed authentication when user is disabled” to fail authentication.

image

There are different authentication settings to choose from. Make sure you select the correct and allowed authentication methods in company settings. For example, if you plan to use Remote Desktop Gateway dont enable OATH, because Remote desktop gateway cannot give back a prompt to enter the response code. Think about the solutions you wish to provide and enable them.

Reset / re-assign Azure – MFA Tool

To reset activation or move it to another subscription go to %PROGRAM FILES%\Multi-Factor Authentication Server\Data. Move all content to a temp folder on your desktop for example. Then start the tool again. It will prompt for activation again. This are the same steps as the first time wizard explained earlier in this blog post. Be carefull when you decide to migratie your MFA provider to another Azure subscription. You might lose some settings configured.

In next post we will discuss the ADFS adapter integration to allow users to enroll their MFA trough ADFS web login.