in this post we are going to configure the User Portal for Multi Factor Authentication. Before we can run the installer from the MFA console we need to install IIS Web service. As this is in my Lab environment I choose to co-locate it on the MFA server and use internal site access only. Its also possible to publish the MFA User portal trough a Web reverse proxy off course.
So lets start and from the Server Manager install IIS
Select also ASP.NET and IIS 6 Metabase Compatibility
Hit next and wait for the Server Manager to complete the installation of IIS
Now open the MFA Console and go to the user portal icon and choose to install user portal from the top.
Hit Next
It wants to create a user for the user portal and its needs administrative permissions to the MFA. So it will create for you the user and group in AD. It will be located in the default user container in the AD. You can move this to an appropriate OU if needed. Its also an option to manually create and configure the accounts and groups if requested.
Hit Next
If you install the User portal on a dedicated Web server you can specify a Site where the portal must be created on including the virtual directory that will be assigned to it.
Hit next and close.
Back in the user portal specify the options you would like to offer to your users and configure the url. Remember it has to be https
If I try to connect to it on http it will give me a 403.4 forbidden.
So if you haven’t done assigning a certificate to the website it is time to do this now. Open IIS and select the website where the user portal is installed. Edit the binding and add https and select a certificate.
When the certificate has been assigned and I enter the url I got a login prompt:
after I log on I get the setup wizard to confirm my number:
There is also a option to change the authentication method by changing the method.
As I don’t have the mobile app configured yet I’ll leave it by phone for now. I click the call me now and the MFA Azure will make a phone call to authenticate me.
After I confirmed my identity by phone I get the home screen of the user portal:
On the left side of the website I have some options to change or add mobile app methods or configure a 1 time by pass if it is enabled in your policy.
For those who to activate the mobile app without configuring the mobile service first you do get a QR code but the url will be empty.
In a later blog post I will cover the Web service SDK and the Mobile App configuration.