With a pristine Multi-Factor Authentication Server installation on premises, connected to the Azure Multi-Factor Authentication Service, let’s look at the Azure Multi-Factor Authentication portals.

Sander Berkouwer

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

Preconfiguring IIS ^

Before we can install the Portals and Web Service SDK, we need to make a change in Internet Information Services (IIS) to allow the application pools to be created properly.

Configuring the default application pool for .NET Framework 2.0

  1. Log on to the server running the Multi-Factor Authentication Server with administrative privileges.
  2. Run the Internet Information Services (IIS) Manager (inetmgr.exe).
  3. In the left navigation pane, expand the name of the server.
  4. On the pop-up screen “Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform Components,” click No.
  5. In the left navigation pane, select the Application Pools node.
  6. In the main pane, select the DefaultAppPool.
  7. In the task pane on the right, click Basic Settings….
  8. On the Edit Application Pool window, select .NET CLR Version v2.0.50727 as the .NET CLR version and Classic as the managed pipeline mode.
    Basic settings for the default application pool in IIS
  9. Keep the option Start application pool immediately selected and click OK.

Importing the SSL/TLS certificate

To configure the Multi-Factor Authentication portals with SSL/TLS certificates, we’ll need to import the certificate from the public Certification Authority (CA) to the certificate store of the local machine and then put it to use in IIS. For the first task, perform these steps:

  1. Download or copy the certificate to the server.
  2. Right-click the certificate and select Install certificate from the context menu.
    Certificate Import Wizard welcome screen
  3. Select Local Machine and click Next.
  4. On the Certificate Store screen, select Place all certificates in the following store.
  5. Click Browse….
  6. Select the Personal store for the local machine.
  7. Click OK.
  8. Click Next.
    Completing the Certificate Import Wizard

9. On the Completing the Certificate Import Wizard screen, click Finish.

Configuring the HTTPS binding for the default website

Now, configure IIS to use the certificate:

  1. Run the Internet Information Services (IIS) Manager (inetmgr.exe).
  2. In the left navigation pane, expand the name of the server.
  3. On the pop-up screen “Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform Components,” click No.
  4. Expand the Sites node.
  5. In the left navigation pane, select the Default Web Site node.
  6. In the right pane, click Bindings….
    Site bindings for the default web site
  7. Click Add….
  8. For Type, choose https.
  9. For SSL Certificate, pick the certificate from the drop-down list for the fully qualified domain name (FQDN) of the server on the Internet (for instance, mfa.domain.tld).
  10. Click OK.
  11. Click Close.
  12. Close the Internet Information Services (IIS) Manager.

Installing the User Portal ^

With the Multi-Factor Authentication Web Service SDK in place, we can install and configure both the User Portal and the Mobile Portal. Let’s start with the first:

Note:
Make sure you are logged on as a domain admin for this and consecutive steps in this article.

  1. Open the Multi-Factor Authentication Server Management console by searching for it on the Start Screen.
  2. In the left pane, click User Portal.
    Multi-Factor Authentication User Portal settings
  3. On the Settings tab, fill in the external URL for User Portal URL. For example: https://mfa.domain.tld/MultiFactorAuth.
  4. Select your preferences. Common options to select are Allow users to select method, followed by a couple of authentication methods, such as Phone Call, Text message, and Mobile app.
  5. When you select Mobile app, also select the Allow users to activate mobile app check box and set a maximum number of devices using the Device limit setting. Settings are automatically saved.
  6. Click the Install User Portal button at the top of the Settings tab to open the Install User Portal wizard.
    Installation guide review screen in Install User Portal wizard
  7. On the Installation Guide screen, click Next >.
    Active Directory configuration screen in Install User Portal wizard
  8. On the Active Directory screen, click Next >.
    Launch Installer screen in the Install User Portal wizard
  9. On the Launch Installer screen, click Next >.
    The Install User Portal closes and the Multi-Factor Authentication User Portal window appears.
    Select Installation Address screen in the Multi-Factor Authentication User Portal wizard
  10. On the Select Installation Address screen, click Next >.
    Installation Complete screen in the Multi-Factor Authentication User Portal wizard
  11. On the Installation Complete page, click Close.

Installing the Web Service SDK ^

Since both the User Portal and the Mobile Portal use the Web Service SDK to connect (remotely) to the MultiFactorAuth service (MultiFactorAuthSvc), we’ll start with installing it:

  1. In the left pane of the Multi-Factor Authentication management console, click Web Service SDK.
  2. Click the Install Web Service SDK… button.
    Web Service SDK
  3. On the Select Installation Address screen, click Next > to accept the default application pool /MultiFactorAuthWebServiceSDK.
    Complete screen
  4. On the Installation Complete screen, click Close.

Testing the Web Service SDK

Open Internet Explorer and visit https://localhost/multifactorauthwebservicesdk/. Ignore the certificate error (“The certificate does not cover localhost…”). You should see a list of supported operations for the PfWsSdk Web Service. This confirms the MFA Web Service SDK is correctly installed and fully functional.

Installing the Mobile Portal ^

The Multi-Factor Authentication management console does not offer a button to install the Mobile Portal, so we’ll kick off its installer from the folder where we installed the Multi-Factor Authentication Server:

  1. Open File Explorer as an administrator by typing its name in the Start Screen, right-clicking it in the search results, and selecting Run as administrator from the context menu.
  2. Navigate to C:\Program Files\Multi-Factor Authentication Server\.
    Contents of the Multi-Factor Authentication Server installation folder
    Right-click MultiFactorAuthenticationMobileAppWebServiceSetup64.msi and select Install from the context menu.
    Select Installation Address screen in the Mobile App Web Service wizard
  3. On the Select Installation Address screen, click Next > to accept the default /MultiFactorAuthMobileAppWebService virtual directory.
    Installation Complete screen in the Mobile App Web Service wizard
  4. On the Installation Complete screen, click Close.

Making the MFA Server aware of its existence

The Multi-Factor Authentication Server installation has no knowledge of the existence of the Mobile App Portal at this point. Let’s fix that:

  1. Open the Multi-Factor Authentication Server Management console.
  2. In the left pane, click Mobile App.
  3. For the Mobile App Web Service URL, fill in the externally resolvable address, starting with https:// and ending with /MultiFactorAuthMobileAppWebService.
  4. For Account Name, fill in your organization’s name.

Configuring Active Directory ^

After we installed the User Portal, a group (PhoneFactor Admins) was created in the Users container of the Active Directory environment. It’s a good thing to work with service accounts. Although we would prefer to use (group) Managed Service Accounts (gMSAs), unfortunately we can’t use them in this scenario. Therefore, we will create a service account based on a normal user account:

Creating the service account

  1. Log on to a domain controller for the domain to which the server running the Multi-Factor Authentication Server is domain-joined, or use the Remote Server Administration Tools (RSAT) to make a remote connection to a domain controller.
  2. Start the Active Directory Administrative Center (dsac.exe).
  3. At the top of the left navigation pane, switch from List View to Tree View.
  4. In the left navigation pane, expand the domain name and navigate to the Users container.
    Note:
    When your organization’s IT management policy suggests you create service accounts in a different container or Organizational Unit (OU), create it there.
  5. In the right task pane, under Users, click New. From the context menu, select User.
    Creating a user in the Active Directory Administrative Center
  6. Specify at least a Full name, a SamAccountName, and a strong password (twice). My choice here is SA AzureMFA.
    Note:
    Make sure the password only contains English uppercase characters (from A through Z), English lowercase characters (from a through z), and Base 10 digits (from 0 through 9). Do not include non-alphanumeric characters (for example: !, $, #, or %) to avoid more work later on.
    Note:
    When your organization’s IT management policy contains a naming convention, follow it.
  7. Under “Password options,” select Other password options and then select Password never expires.
  8. Select Protect from accidental deletion.
  9. Click OK.

Making the service account a member of PhoneFactor Admins

Then, we’ll add the service account to the PhoneFactor Admins group:

  1. When you’ve created the service account in another container or OU, navigate back to the Users container.
  2. Locate and select the PhoneFactor Admins global security group.
  3. Right-click the object and select Properties from the context menu.
    The PhoneFactor Admins group in Active Directory
  4. In the left navigation pane of the PhoneFactor Admins Properties window, click Members.
  5. Click the Add… button next to the list of current members of the group.
  6. Type (the beginning of) the name of the service account (in my case, SA AzureMFA) and click the Check Names button.
    Your service account should now appear underlined in the list.
  7. Click OK.
  8. Click OK to close the PhoneFactor Admins Properties window.
  9. Close the Active Directory Administrative Center.
  10. Log off.

In an environment with multiple Active Directory domain controllers, allow sufficient time for replication to domain controllers near the Multi-Factor Authentication Server.

Configuring the Web Service SDK ^

Next, we’ll configure authentication for the Multi-Factor Authentication Web Service SDK:

  1. Run the Internet Information Services (IIS) Manager (inetmgr.exe).
  2. In the left navigation pane, expand the name of the server.
  3. On the pop-up screen “Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform Components,” click No.
  4. Select the Application Pools node in the left navigation pane.
  5. In the main pane, select the MultiFactorAuthWebServiceSDK application pool that the MFA Web Service SDK created. If it hasn’t been created, select the DefaultAppPool.
  6. In the task pane on the right, click Advanced Settings….
    Advanced settings for application pools in Internet Information Services
  7. From the list of settings, under Process Model, select Identity.
  8. Click the button with the three dots to the right of ApplicationPoolIdentity.
  9. In the Application Pool Identity window, select Custom account.
  10. Click Set….
    Setting credentials for the application pool identity
  11. On the Set Credentials pop-up, type the user name and the password (twice) for the service account that was created.
  12. On the Set Credentials pop-up, click OK.
  13. On the Application Pool Identity window, click OK.
  14. Next, in the left navigation pane of Internet Information Services (IIS) Manager, navigate to the MultiFactorAuthWebServiceSDK application pool under Default Website.
  15. In the main pane, double-click Authentication.
    Authentication settings for the Multi-Factor Authentication Web Service SDK
  16. Right-click Anonymous Authentication and select Disable from the context menu.
  17. Right-click Basic Authentication and select Enable from the context menu.
  18. Close the Internet Information Services (IIS) Manager.

Configuring the Mobile Portal ^

Because the Multi-Factor Authentication Mobile App Web Service offers validation options when accessed from the local server, we’ll configure this portal first:

  1. Open Notepad as an administrator.
  2. By default, Notepad opens with a new document. From the File menu, select Open….
  3. Browse to the folder in which you have installed the MFA Mobile Portal. By default, it is located in C:\Inetpub\wwwroot\MultiFactorAuthMobileAppWebService.
  4. In the right bottom corner, change the file type from Text documents (*.txt) to All Files.
  5. Select and open Web.Config.
    Contents of the Web.Config file for the Mobile App Web Service
  6. In the appSettings section, make two changes:
    1. In the line containing the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME, change value=""/> to include the domain name and username for the service account that runs the application pool of the Web Service SDK. I changed it to value="DOMAIN\SAAzureMFA"/>.
    2. In the line below that, add a password value, in the same way you added the username, for WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD.
  7. In the pfup.Properties.Settings section (almost at the end of Web.Config), make one change. Change <value>http://localhost:4898/PfWsSdk.asmx</value> to <value>https://EXTERNALFQDN/MultiFactorAuthWebServiceSDK/PfWsSdk.asmx</value>. (Change EXTERNALFQDN to the externally resolvable DNS domain name for the MFA Server for which the SSL/TLS certificate was issued.)
  8. From Notepad’s File menu, select Save.
  9. From NotePad’s File menu, select Exit.
  10. Now, open Internet Explorer and navigate to https://localhost/MultiFactorAuthMobileAppWebService.
    Multi-Factor Authentication Mobile App Web Service Portal

Follow the TestPfWsSdkConnection and TestSecurity links to ensure the connection to the Multi-Factor Authentication Web Service SDK is successful and the Mobile App Web Portal is secure.

Configuring the User Portal ^

Next, we’ll configure the Multi-Factor Authentication User Portal to successfully authenticate to the Multi-Factor Authentication Web Service SDK:

  1. Open Notepad as an administrator.
  2. By default, Notepad opens with a new document. From the File menu, select Open….
  3. Browse to the folder in which you have installed the MFA User Portal. By default, it is located in C:\Inetpub\wwwroot\MultiFactorAuth.
  4. In the right bottom corner, change the file type from Text documents (*.txt) to All Files.
  5. Scroll down the list of files and then select and open Web.Config.
    Web.Config
  6. In the appSettings section, make three changes:
    1. Because the Multi-Factor Authentication User Portal can use both RPC (directly) and a connection to the Web Service SDK to communicate with the MultiFactorAuth service, we’ll change value="false"/> to value="true"/> for USE_WEB_SERVICE_SDK.
    2. In the line below the previous line, change value=""/> to include the domain name and username for the service account that runs the application pool of the Web Service SDK. I changed it to value="DOMAIN\SAAzureMFA"/>.
    3. In the line below that, add the password in the same way you added the username.
  7. In the ApplicationSettings section (almost at the end of Web.Config), make one change. Change <value>http://localhost:4898/PfWsSdk.asmx</value> to <value>https://EXTERNALFQDN/MultiFactorAuthWebServiceSDK/PfWsSdk.asmx</value>. (Change EXTERNALFQDN to the externally resolvable DNS domain name for the MFA Server and for which the SSL/TLS certificate was issued.)
  8. From Notepad’s File menu, select Save.
  9. From NotePad’s File menu, select Exit.
  10. Now, open Internet Explorer and navigate to https://localhost/MultiFactorAuth.
    Multi-Factor Authentication User Portal login screen

Concluding ^

We’ve successfully installed and configured the User Portal, Mobile Web App Service, and Web Service SDK in this article. In the next article, we’ll look configure the settings of our  Multi-Factor Authentication Server.

Win the monthly 4sysops member prize for IT pros

Share
0

3 Comments
  1. Denis Dragovic 2 years ago

    Excellent article for a real step by step.

    But, I think there is one error.

    Instead of:
    https://EXTERNALFQDN/MultiFactorAuthWebServiceSDK/PfWsSdk.asmx.

    I think you need to put:
    https://EXTERNALFQDN/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx.

    I copied this from your website and it wasn't working before I changed it to Sdk.

    0

  2. Terry 1 year ago

    Hi Sander,I have a strange question for you. Would it be possible to manage user enrollment from the MFA cloud portal and have directory sync to the MFA Server? Ideally I would like to perform most management tasks from the portal, however I require MFA Server as I would like to utilise MFA capabilities for VPN access. Would I be correct in thinking its either one or the other and not both; MFA Server & MFA Cloud portal, for admin tasks?Thanks in advance.

    Terry

    0

  3. Sayit 4 months ago

    Hi Sander,
    I discovery MFA on-premise server. I wonder this case answer and how can i solve this problem using mfa.

    I am doing vpn to our branch, and there is a firewall. That firewall have only one active rule, that rule direct to mfa server. But I dont see any two factor(text message or any call), I can directly access branch. That users enabled on MFA server.
    How can ı solve this on MFA ?
    Can MFA do some users not access using vpn to branch or company network area, is it possible? We can block on firewall but We need to know , Can MFA do that?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account