Azure Multi-Factor Authenticaion on premise – Tricks

I want to share with you some of the tips and tricks when deploying the Azure MFA on premise. These tips are from my own personal experience of dealing with Azure MFA services.

Tip : SMS Notification – One Way or Two Way

If you are using SMS notification option, then you would notice that a one time password is sent to your phone as an SMS, and you have to reply with another message (this mode is called Two-Way SMS Notification). My comments here are :

  • Extra charges, because the person doing the multi-factor authentication needs to send a message back with the OTP.
  • It is better if you can type the OTP to the browser itself if possible, instead of replying to the SMS.

Although replying with another SMS is completely out of band and more secure option, some may argue that it would better if the OTP could be sent via SMS and then being typed to the application itself (this is called One-Way SMS Notification)

On the MFA on premise server console, the option to choose One-Way  SMS notification is grayed out. You can only choose the Two-Way !

SMS Azure

After searching alot on the web to find a way to activate the One-Way SMS notification, I realized that this is only possible via the Azure Multi-Factor Authentication SDK. The SDK exposes the option of One-Way SMS as seen below:

OTP Azure

This means if you have developed a logon page, you can use the SDK and use the MODE_SMS_ONE_WAY_OTP option there. But what if you want to use the One-Way SMS notification option to secure a VPN connection. You simply cannot because the VPN endpoint will most probably may not support code to be injected to its logon functionality where you can use the SDK.

Update : On Microsoft Technet Forum, asking about Two-Way SMS, and getting this answer:“MFA Server v6.2.2 and older doesn’t have one-way SMS capability. It is being added to v6.3 which is expected to release in Jan 2015. The one-way SMS will work with the ADFS Adapter, RADIUS and the User Portal. In order to work successfully with RADIUS, the system sending the ACCESS request will need to be able to handle an ACCESS CHALLENGE response so that the user can be prompted for the OTP.”

Update: The new version of MFA v6.3 supports SMS_ONE_WAY_OTP as per https://social.msdn.microsoft.com/Forums/en-US/b20d9859-b27e-4918-a370-db79fa7612cc/one-way-sms-otp-in-azure-mfa-server?forum=windowsazureactiveauthentication

Tip: How to use the OTP that is generated from the Azure MFA mobile app

The Azure Multi-Factor mobile app servers two things:

  • Push notification: where you receive a push notification and you can click (Verify), (Cancel), or (Cancel and report fraud).
  • Offline OTP (one time password) that is changed every couple of seconds.

So the question is how to use the offline OTP? I have implemented a solution where I could use the offline OTP. To do this, the user should be configured with OATH Token as shown in the below figure.

oath

I am using Citrix NetScaler as a VPN gateway and i have configured it as RAIUS client and I pointed it to the on premise MFA server as the RADIUS server.

Now when connecting to the Citrix VPN gateway, I am prompted with the user name and password:

NetscalerMFA

After that, I am prompted to enter the OTP:

NetscalerMFA2

I then will open the Azure MFA mobile app, and I enter the OTP that is generated for me offline and keep changing with time:

AzureMobileApp2

Tip: using MFA with Microsoft RRAS as a VPN solution

I used Windows 2012 R2 as my RRAS server to configure a two factor authentication for VPN client. I will be using SSTP as my protocol.

The following configuration are made to NPS:

Configuring the Connection Request Policy to point to the MFA on premise server as the RADIUS server

RRAS_MFA3

Configuring the Network Policy with PAP as the authentication method. Do not be afraid because we are using SSTP (HTTPS) as the VPN tunnel method, so the credentials will be sent over HTTPS.

MFA_RRAS4

Now on RRAS console, configure the authentication method as PAP, and configure a certificate for SSTP:

MFA_RRAS

Finally, to enforce SSTP as the only tunneling protocol, go to Ports node, right click and click Properties, and configure the number of ports as shown below [for all ports except SSTP and PPTP, configure zero ports, and one port for PPTP]

mfa_rras2

Now when a Windows client tries to connect to my RRAS, it should be configured with PAP as the authentication method:

RRAS_MFA_5

When you connect, the PAP credentials will be secured via the SSL tunnel, and then the MFA server will encrypt the credentials before sending them to the one premise MFA server as shown in my trace:

RADIUS Message2

The only thing you should worry about is that the Microsoft VPN client on Windows client will time out quickly before the two factor authentication finishes, a registry hack on the client may solve this issue to extend the time out:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP:MaxConifgure=10

Change this to 60 for example.

Also be sure to change RADIUS timeouts in RRAS to at least 30-45 seconds or you’ll beget an error.

See Also

6 comments on “Azure Multi-Factor Authenticaion on premise – Tricks

  1. Pingback: Azure Multi-Factor Authentication Server Deployment – P1 | Ammar Hasayen - Blog

  2. Pingback: The story of Multi-Factor Authentication and the Azure MFA | Ammar Hasayen - Blog

  3. Thanks for your blog, as you have taken the time to help others.

    Im running into some issues and am stumped. Im trying to run everything of a Single Server running Windows Server 2012 R2 Essentials. But the Azure MFA on separate ports doesn’t seem to work. Do you know if you can run the Azure MFA on separate ports and get the same thing you have described above?

    • Sorry for delay, you mean changing the https outbound and inbound ports? Dont guess it is an option as the cloud service will listen and send on https and this cannot be changed.

  4. Hi,

    “Im trying to run everything of a Single Server running Windows Server 2012 R2 Essentials”..
    the radius ports from NPS to the radius ports on MFA. Install everything on a single server. Can you set a listen ip address on the MFA application maybe.

    Im totally stumped. Seems to work fine when using my laptop as a second server for MFA. but trying to get running everything on a single server.

    Any thoughts or chain of thoughts might give me something i missed even if you don’t know the answer. Thanks.

  5. Hi Brother,

    I would require a small help in MFA – On Premise.

    I have developed a custom web application which is authenticated using MFA Server.

    The calls, SMS – two way, Mobile App functionalities are correctly working as expected.

    But SMS – One way is not working, I have developed an OTP Screen in my application but it is not redirecting to that screen, when the SMS One way option is used. It throws the following error.
    Error Message:

    Login Failed

    Please verify the following items:

    You entered your usename and password correctly.
    You have the correct phone close to you and it has reception.
    You entered the correct PIN.
    If the problem persists, please contact your company’s help desk for assistance.

    While debugging, the error is thrown before the application load command. Is there any settings i’m missing. Could you please help on this.

    Thanks

    Kumar

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s