Azure Multi-Factor Authenticaion on premise – Tricks updated may 2017

I want to share with you some of the tips and tricks when deploying the Azure MFA on premise. These tips are from my own personal experience of dealing with Azure MFA services.

Tip : SMS Notification – One Way or Two Way

If you are using SMS notification option, then you would notice that a one time password is sent to your phone as an SMS, and you have to reply with another message (this mode is called Two-Way SMS Notification). My comments here are :

  • Extra charges, because the person doing the multi-factor authentication needs to send a message back with the OTP.
  • It is better if you can type the OTP to the browser itself if possible, instead of replying to the SMS.

Although replying with another SMS is completely out of band and more secure option, some may argue that it would better if the OTP could be sent via SMS and then being typed to the application itself (this is called One-Way SMS Notification)

On the MFA on premise server console, the option to choose One-Way  SMS notification is grayed out. You can only choose the Two-Way !

SMS Azure

After searching alot on the web to find a way to activate the One-Way SMS notification, I realized that this is only possible via the Azure Multi-Factor Authentication SDK. The SDK exposes the option of One-Way SMS as seen below:

OTP Azure

This means if you have developed a logon page, you can use the SDK and use the MODE_SMS_ONE_WAY_OTP option there. But what if you want to use the One-Way SMS notification option to secure a VPN connection. You simply cannot because the VPN endpoint will most probably may not support code to be injected to its logon functionality where you can use the SDK.

Update : On Microsoft Technet Forum, asking about Two-Way SMS, and getting this answer:“MFA Server v6.2.2 and older doesn’t have one-way SMS capability. It is being added to v6.3 which is expected to release in Jan 2015. The one-way SMS will work with the ADFS Adapter, RADIUS and the User Portal. In order to work successfully with RADIUS, the system sending the ACCESS request will need to be able to handle an ACCESS CHALLENGE response so that the user can be prompted for the OTP.”

Update: The new version of MFA v6.3 supports SMS_ONE_WAY_OTP as per https://social.msdn.microsoft.com/Forums/en-US/b20d9859-b27e-4918-a370-db79fa7612cc/one-way-sms-otp-in-azure-mfa-server?forum=windowsazureactiveauthentication

Tip: How to use the OTP that is generated from the Azure MFA mobile app

The Azure Multi-Factor mobile app servers two things:

  • Push notification: where you receive a push notification and you can click (Verify), (Cancel), or (Cancel and report fraud).
  • Offline OTP (one time password) that is changed every couple of seconds.

So the question is how to use the offline OTP? I have implemented a solution where I could use the offline OTP. To do this, the user should be configured with OATH Token as shown in the below figure.

oath

I am using Citrix NetScaler as a VPN gateway and i have configured it as RAIUS client and I pointed it to the on premise MFA server as the RADIUS server.

Now when connecting to the Citrix VPN gateway, I am prompted with the user name and password:

NetscalerMFA

After that, I am prompted to enter the OTP:

NetscalerMFA2

I then will open the Azure MFA mobile app, and I enter the OTP that is generated for me offline and keep changing with time:

AzureMobileApp2

Tip: using MFA with Microsoft RRAS as a VPN solution

I used Windows 2012 R2 as my RRAS server to configure a two factor authentication for VPN client. I will be using SSTP as my protocol.

The following configuration are made to NPS:

Configuring the Connection Request Policy to point to the MFA on premise server as the RADIUS server

RRAS_MFA3

Configuring the Network Policy with PAP as the authentication method. Do not be afraid because we are using SSTP (HTTPS) as the VPN tunnel method, so the credentials will be sent over HTTPS.

MFA_RRAS4

Now on RRAS console, configure the authentication method as PAP, and configure a certificate for SSTP:

MFA_RRAS

Finally, to enforce SSTP as the only tunneling protocol, go to Ports node, right click and click Properties, and configure the number of ports as shown below [for all ports except SSTP and PPTP, configure zero ports, and one port for PPTP]

mfa_rras2

Now when a Windows client tries to connect to my RRAS, it should be configured with PAP as the authentication method:

RRAS_MFA_5

When you connect, the PAP credentials will be secured via the SSL tunnel, and then the MFA server will encrypt the credentials before sending them to the one premise MFA server as shown in my trace:

RADIUS Message2

The only thing you should worry about is that the Microsoft VPN client on Windows client will time out quickly before the two factor authentication finishes, a registry hack on the client may solve this issue to extend the time out:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP:MaxConifgure=10

Change this to 60 for example.

Also be sure to change RADIUS timeouts in RRAS to at least 30-45 seconds or you’ll beget an error.

See Also

Azure Multi-Factor Authentication Server Deployment – P2 [Updated March 2017]

Please check part one here:

Azure Multi-Factor Authentication Server Deployment – P1

You can also check the following relevant posts:

The installation of the the on premise MFA server consists of the following:

  1. The installation of the MFA Server and Management console
  2. The installation of three web services:
    1. User Portal
    2. SDK
    3. Mobile App service

The user portal is an IIS site that your users can log on to, and perform many tasks like:

  • Change their mobile number that MFA server will use to perform the second factor authentication. You can configure the MFA server to sync mobile numbers from AD and not allow users to change their mobile numbers via this portal.
  • Set couple of security questions. These questions can be used by an IT Operator to verify the identity of the user, if the user calls the help desk and ask him to change the second factor method ( Mobile App notifications instead of mobile call for example)
  • Activate their mobiles so that they can receive notifications in case of Mobile App options.

The SDK service is used for custom integration with the MFA server and it is a requirement to install if you want to use the mobile app notification feature, as the mobile app service will connect to the SDK IIS virtual directory in order to connect to the MFA server.

The Mobile App Service is the service that mobile apps connects to, in order to submit the verification. This service should be published externally and should resolve to external DNS name.

You can install the portals in different server than the MFA server itself. For simplicity, i will choose to install the MFA server and the three portals in the same Windows 2012 R2 machine.

Installing the MFA Server

I will be using Windows 2012 R2 server for my MFA and portals. Now that you have downloaded the Azure MFA server, run the installation wizard, and click next until it is installed. No conflagration needed at this time.

You can check the hardware and software requirements here.

1

Now open the MFA console and activate the product using the activation keys you obtained from the Azure management portal where you downloaded the MFA server. Make sure the server can connect to internet using http/https for the activation to work. Also make sure the server always can connect to internet using these ports as the server needs to connect to Azure for every authentication request  verification.

2

Installing Azure MFA User Portal

The User Portal is an IIS web site to allow users to enroll in Azure MFA and maintain their accounts. Mainly, users can log on there, and choose if they want the second factor to be a phone call, SMS, or push notification on the mobile app. Also you can give users the ability to change their phone number if you want.

You can install the User Portal in a different server than the MFA server, but for simplicity, I recommend to install all portals on the MFA server itself. Here is a link that can help you with the installation steps for more complex deployments.

You should have IIS installed including asp.net and IIS 6 meta base compatibility for IIS 7 or higher. I choose to install the user portal on the same MFA server. During the installation of the user portal, a security group is created in AD, so make sure the account that is used to install the user portal can create security group in AD.

MFA Pre

MFA PRER2

MFA PRER3

To install the user portal, open the MFA Server management console, go to the User Portal node and check the settings available.

I usually remove the OATH token method because i will not be using it, and also i remove the security questions option, as this seemed a possible way to bypass the security and making it less secure.

MFA User Portal

Now, click Install User Portal. The wizard will tell you that it will create the following:

  • Security group in AD, placed under the built in Users container, called PhoneFactor Admins. 
  • User account called named PFUP_MFAServerName , where MFAServerName is the name of the MFA server.
  • Adds the previously created account to the previously created security group.

Note: do not check the box (Skip automatic Active….). doing that means you have to create the group and user manually.

I also set the PhoneFactor Admins security group as member of the local administrators group in the

MFA_Config2

Next, you be prompted with the IIS web site to use (leave as default), and the virtual directory for the user portal. I usually change this to “Enroll” so that users will browse to https://servername/enroll instead of https://servername/MultiFactorAuth.

MFA Config3

Now open the IIS, you can see the virtual directory called (Enroll). This is where end users will connect to manage their MFA profiles. For me, i also created a certificate and enforce HTTPS for the whole web site.

MFA Config4

Install the MFA SDK 

The SDK should be secured with SSL. Installing it is straight forward. Just open the MFA management console, go to Web Service SDK, and then run the installation. I will install it on the MFA Server itself as we did with the user portal.

MFA Config5

You may need to install Basic Authentication feature before you move on.

MFA Config6

MFA Config7

If you open IIS, you can see the SDK virtual directory.

MFA Config8

Install the MFA Mobile App Web Service

You should install the MFA SDK before proceeding with the MFA Mobile App Web Service. I will install the MFA mobile app web service on the same server also.

To start the installation, go to C:\Program Files\Azure Multi-Factor Authentication, choose the 32 or 64 bit installation file (MultiFactorAuthenticationMobileAppWebServiceSetup64) , and tun the installation file, change the virtual directory if needed.

MFA Config9

MFA Config10

I usually change the virtual directory to something like PA (Phone App) instead of the long default one. Now go to your AD, and reset the account the is created by the wizard during the user portal deployment ( the account that is member of the PhoneFactor admins group).

Now browse to C:\inetpub\wwwroot\PA (or appropriate directory based on the virtual directory name) and edit the web.config file. Enter the user account that you have reset, and the password between the quotes in shown in the below section. It is recommended to use a qualified username (e.g. domain\username or machine\username).

MFA Config11

Next change the URL shown below to your SDK virtual directory. Example is : https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx

MFA Config12

References:

Azure Multi-Factor Authentication MSDN Library

The story of Multi-Factor Authentication and the Azure MFA [Updated Feb 2017]

This blog post is moved to my new blog platform:

 

https://blog.ahasayen.com/azure-multi-factor-authentication-azure-mfa/

https://blog.ahasayen.com/multi-factor-authentication-as-a-service-model/

Server Name Indication (SNI)

The problem:

You have a server with couple of web sites that requires SSL connection on port 443. You want to use only one IP address on that server.

You may think, the server could use the host header to know which web site should receive the request.

The problem though is certificate pickup.

Suppose you have a server called SRV1, with one IP address [10.0.0.1], and the following SSL sites:

When the client tries to connect to http://www.contoso.com, and during the SSL handshake, the client will send HTTPS Hello request to the web server, and at that point, the HTTP headers are not available to the server. Once the SSL handshake is completed, the client will encrypt the headers and send the encrypted HTTP request to the server. So, the server cannot access the HTTP headers during the SSL handshake.

So when the client tries to connect to http://www.contoso.com, the only information available to the server is the IP address and Port. Since the server is hosting two web sites, it has no idea which certificate to use in order to serve the request.

The Solution – SNI:

Server Name Indication (SNI) is an extension to the SSL/TLS protocols that lets an SSL/TLS client (for example, a browser) indicate the exact hostname it tries to connect to at the start of the SSL/TLS handshaking process.

Saying that, during the SSL handshake, the client will send the domain or host name as part of the SSL/TLS handshake, so that the server can select the correct web site and certificate.

Microsoft included SNI support in IIS 8 when adding a new website.

SNI

SNI Supported Clients:

SNI Supported clients

Most hardware load balancer devices like (Netscaler) does not support SNI when connected to the back end service that supports SNI.  Also Andriod Active Sync does not support it as far as i know.

Be Careful

Some applications like Microsoft ADFS 3.0 and Web Application Proxy,  require SNI connections. This may cause problems for clients coming from XP as they do not support SNI.

There is a trick to make this work by configuring an http.sys fallback certificate where IIS will fall back to legacy SSL binding if SNI binding fails.

Check those links link1, link2 and link3 for more details.

Good Read

http://blogs.msdn.com/b/kaushal/archive/2012/09/04/server-name-indication-sni-in-iis-8-windows-server-2012.aspx

http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx

Exchange Multi-Mailbox Search – Segregation of duties

Requirement

The security or legal team needs access to search corporate mailboxes for keywords in order to investigate a security or legal incident.

Giving that person the ability to view and access other mailboxes without proper auditing is something most organization fear to do, even if that person is trusted and is a senior person.

Microsoft Exchange platform starting from Exchange 2010 I guess, comes with a new feature called Multi Mailbox Search . The problem with giving a person the ability to do searching on corporate mailboxes is still the same.

How Multi Mailbox Search works

I will not go through the details of how this feature works, as you can read on TechNet about it. Instead I will highlight couple of points:

Exchange 2010 introduces the Discovery Management Role and the Discovery Search Mailbox.  By default no users are members of this role and the user associated with the Discovery Search Mailbox is disabled and it cannot receive e-mail.

  • You start by granting a domain user “John” the role of Discovery Management in Exchange by running:

Add-RoleGroupMember -Identity “Discovery Management” -Member John

  • Then John can go to his Outlook Web App > Exchange Control Panel, and he will have access to the Reporting section under My Organization

Multi Mailbox Search

  • From there John can specify a search criteria as shown below.

Multi Mailbox Search 2

  • The results of the search will be sent to the built in system mailbox called (Discovery Search Mailbox).

John is granted automatically access to that (Discovery Search Mailbox) where he can view the results. This is because the (Discovery Search Mailbox) is configured by default with (contoso\Discovery Management) group having Full Mailbox Access. John is added automatically to that group once he is granted the “Discovery Management” Exchange Role previously.

Note: The problem with this approach is that John can perform any search or mailbox discovery on corporate mailboxes without proper control or auditing and this is extremely something to worry about.

Solution

The solution is simply a segregation of duties, where one person performs the search and other person gets access to view the result.

In this scenario, John can only go to his OWA experience and perform the multi-mailbox search with any criteria he wants, and the results will be sent to the (Discovery Search Mailbox). John should not have access to that system mailbox, and thus cannot view the results of his own search.

Now, Sue is another security administrator and she is granted full mailbox access to the (Discovery Search Mailbox) and she can see the result of the multi-mailbox search performed by John. This means that one person can do the search and cannot view the results, where the other person can view the results but cannot do the search. In other words, we require two different people to act in order to do such multi-mailbox search on corporate mailboxes.

How to do it:

  • For John, we will add him to the “Discovery Management” Exchange Role

Add-RoleGroupMember -Identity “Discovery Management” -Member John

  • For Sue, go to Exchange Management Console, search for “Discovery Search Mailbox”, right click and click “Manage Full Access Permission” and do the following:
    • Remove CONTOSO\Discovery Management
    • Add CONTOSO\Sue

Multi Mailbox Search 3

  • Ask John to do the multi-mailbox search from his OWA experience
  • Once done, the results are sent to the “Discovery Search Mailbox”, and John cannot view it although he is member of the (Discovery Management) role, but he cannot access it as we removed the full mailbox access from that mailbox for the AD security group “Discovery Management”.
  • Now John will call Sue and asks her to access that discovery mailbox by typing:

http://owa.contoso.com/xxxxxxxxx

Note: you can get the discovery mailbox SMTP. You can figure out this SMTP by searching for the “Discovery Search Mailbox” in the Exchange Management Console and view the SMTP address from there.

Multi Mailbox Search 5

Windows 8.1 Security Improvements – RestrictedAdmin RDP

Windows 8.1 and also Windows 2012 R2,  come with many security improvements. My favorite feature is related to RDP as i usually use RDP to administer all servers beside PowerShell.

 This measure is meant to enhance Windows credential protection against attacks such as Pass-the-hash attacks.

The new feature is called (Restricted Admin Mode for RDP).  Usually when you connect to a remote computer using RDP, your credentials are stored on the remote computer that you RDP into. Usually you are using powerful account to connect to remote servers, and having your credentials stored on all these computers is a security threat indeed.

Imagine you are conecting to a Remote Desktop Server with your admin credentials using RDP, With so many other users using that server, the possibility for a malware infecting that box is high.

With the new feature introduced in Windows 8.1 and Windows Server 2012 R2, when you connect to a remote computer using the command,  MSTSC.EXE /RESTRICTEDADMIN, you will be authenticated to the remote computer but your credentials will not be stored on that computer as they would have been in the past. This means that if a malware or even a malicious user is active on that server, your credentials will not be available on that remote desktop server.

When connecting to a remote computer using RDP and specifying the /RestrictedAdmin switch, the experience looks like this:

restrictedadmin RDP 1

Things to watch out when using this feature

When you connect to a remote computer using this feature, your identity is preserved on that remote server. Say for example that you are connecting from your machine to a server called (SRV1), any activity that you are doing during that remote desktop session on SR1 is performed using your identity. If you tried to access any network resource from that remote server (SRV1), then the identity that is being used is the computer account $SRV1, and not your identity. This is because your identity is not stored on SRV1 server and it cannot be used to jump or connect to a second network resource from there.

Microsoft documentation mentions this “Restricted mode may limit access to resources located on other servers or networks beyond the target computer because credentials are not delegated.”

So if i connect to SRV1 from my machine and then i tried to access the admin share on SRV2 from that remote desktop session, then the connection will happen using SRV1 computer account and not mine.

restrictedadmin RDP 2

GPO Settings

There is a tricky GPO to control and enforce this new feature. The tricky part that this GPO setting should be applied to the machines initiating the remote desktop session using /RestrcitedAdmin feature, and not on the target RDP server.Example if I had 8.1 clients all over my network it would be a good idea to force this setting on my helpdesk personnel systems so that when they RDP to client systems they would be forced to use Restricted Admin mode.

GPO setting is located under the Administrative Templates under Computer Configuration > System > Credential Delegation > Restrict delegation of credentials to remote servers.

restrictedadmin RDP 3

Limitations

The Restricted Admin mode only applies to administrators and the remote server should support this feature.

Furthermore, the remote server cannot delegate your credentials to a second network resource. This can become a problem with some implementations like remote apps.

Security Trade-Off

There is a big argument on the internet about how vulnerable this feature can be in a way or another, to pass-the-hash attack. Check my blog post to know more.