Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
We’re going to enable Multi-Factor Authentication in our Azure tenant, and then download and install the on-premises Multi-Factor Authentication Server.
This walkthrough assumes that you already have an Azure tenant and a Windows Server installation on which to install the Multi-Factor Authentication Server.
This walkthrough features:
- Windows Server 2012 R2 Standard Edition
- Multi-Factor Authentication Server 184.108.40.20665
Let’s get technical!
To complete the steps in this article and the two articles after it, you will need:
- A domain-joined and Internet-connected Windows Server 2012 R2 (x64) installation
- An SSL/TLS certificate for the external domain name for the above server (for instance, mfa.domain.tld to help protect the communications between end users, devices, and the services offered through the MFA portals)
You can get free trusted SSL/TLS certificates from StartSSL.com.
Preparing the Windows Server installation ^
Before we can install the Multi-Factor Authentication Server on an on-premises Windows Server, we need to prepare the latter for this functionality. We’ll need to install Internet Information Services (IIS) and the .NET Framework 2.0.
Let’s start with the .NET Framework. Open a Windows PowerShell with elevated rights and issue this PowerShell command:
This installation may take some time because the installation files for the .NET Framework 2.0 features are downloaded from Windows Update. You’ll see it seemingly stalling at 68% progress while it downloads.
Next, install the IIS role and role features:
Install-WindowsFeature Web-WebServer,Web-Http-Redirect,Web-Basic-Auth,Web-ASP,Web-Asp-Net,Web-Asp-Net45,Web-Metabase -IncludeManagementTools
Because we’ll be using Internet Explorer on this server, it’s also a good idea to disable Internet Explorer Enhanced Security Configuration. In Server Manager, in the left pane, click Local Server. Then, in the second column, click On next to IE Enhanced Security Configuration. Disable it and then click OK.
Enabling the Multi-Factor Authentication Service ^
By default, in any Azure Active Directory tenant, Multi-Factor Authentication is disabled. As pointed out previously, this allows for Multi-Factor Authentication for Office 365 and Azure Admins.
Enabling the Azure Multi-Factor Authentication Service, however, is straightforward and easy.
Although the new Azure Portal, now in preview, shows a user interface where you’d suspect you could enable Multi-Factor Authentication for the tenant, this functionality is labeled “Coming Soon.” We’ll just use the “old” portal.
Just follow these steps:
- Log on to the Azure Portal.
- In the column on the left that lists all the available items and services, scroll down until you reach ACTIVE DIRECTORY.
- In the main pane, select the default directory.
- Just above the list of directories, click the text MULTI-FACTOR AUTH PROVIDERS.
- You’ll be prompted with the message “You have no Multi-Factor Authentication providers. Add one to get started!” Click the link CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER.
- A configuration pane will unfold from the bottom of the Azure Management Portal, offering you a set of configuration options. Here, we’ll make three distinct choices:
- Choose a NAME. You will not see this name anywhere, but it is good to name the Multi-Factor Authentication Provider appropriately.
- Choose a USER MODEL. This determines if you use the Per Enabled User or Per Authentication mode.
- Under DIRECTORY, choose your directory. This is often aptly named the Default Directory.
- When done configuring, click CREATE.
It’ll only take a minute to create. After that, you can manage the Multi-Factor Authentication Provider by selecting it from the list and then clicking MANAGE on the bottom ribbon.
Downloading the Multi-Factor Authentication Server ^
You’ll be redirected to the PhoneFactor management portal (https://pfweb.phonefactor.net), where you can download the installation files for the on-premises Multi-Factor Authentication Server and get activation credentials to connect it to the Azure Multi-Factor Authentication Service.
Azure Multi-Factor Authentication Service
In the PhoneFactor management portal, perform these steps:
- On the Welcome page, click DOWNLOADS.
- Below the list of supported operating systems for the on-premises Azure Multi-Factor Authentication Server (including Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003, Windows 8.1, Windows 8, Windows 7, and Windows Vista), click Download.
- Save the 122MB MultiFactorAuthenticationServerSetup.exe file somewhere convenient.
- Run the installer.
- On the Select Installation Folder page, accept the default C:\Program Files\Multi-Factor Authentication Server\ folder or choose another folder. Click Next > when done.
- On the Installation Complete page, click Finish.
Configuring the Multi-Factor Authentication Server ^
The Multi-Factor Authentication Server Authentication Configuration Wizard appears.
Perform these actions:
- On the Welcome page, click Next >.
- On the Activate screen, fill in the Email and Password fields with the data you get when you click the Generate Activation Credentials button on the DOWNLOADS page of the PhoneFactor management portal. Click Next > when done.
- On the Join Group screen, click Next >, unless you’re installing a second or consecutive Multi-Factor Authentication Server.
- On the Enable Replication Between Servers page, enable the Enable replication between servers option, unless you’re installing the first server and are really sure you’re never going to add a second server. Click Next > when done.
The Multi-Factor Authentication Server Authentication Configuration Wizard closes and the Authentication Configuration Wizard opens.
- On the Secure Communications page, deselect Certificates and click Next >.
- On the Active Directory page, make sure all options are selected and click Next >.
- On the Select Applications page, click Cancel or click the button in the title bar to close the Authentication Configuration Wizard, unless you have the information required and prerequisites met for the listed agents and types of appliances.
You’ll receive an error stating that “the Authentication Configuration Wizard has not been completed. Any configuration specified will be lost. Are you sure you want to cancel?” But, in fact, the wizard has done everything we need it to do at this point. Click Yes.
When you’re ready to add Virtual Private Networking (VPN) appliances, Citrix Web Interface, Outlook Web Access (OWA), Websites, RADIUS client devices, and/or Remote Desktop to the Multi-Factor Authentication Server configuration, simply open the Tools menu in the Multi-Factor Authentication Server Management Console and select Authentication Configuration Wizard….
In the next article, we’ll install the Web Service SDK, the User Portal, and the Mobile Portal so that end users can configure their multi-factor authentication preferences and activate their mobile Multi-Factor Auth apps.