Documentation

 

 

Check out the latest version of the SecureAuth Credential Provider

Introduction

Use the SecureAuth IdP Credential Provider to protect Windows Desktops and Servers with an additional 2-Factor Authentication module.

Companies and organizations use the SecureAuth IdP Credential Provider to enhance typical Windows Logon functions by adding a 2-Factor Authentication requirement to the username and password validation.

SecureAuth IdP Credential Provider supports usage of the following features:

  • OATH OTP Multi-Factor Authentication method provided by a SecureAuth mobile, desktop, or browser app, or a third-party hardware token
  • online and offline mode
  • Logon and Unlock Windows functions
  • 2-Factor Bypass List of user groups (e.g. Admins) permitted to log on without providing the second factor (OTP)

This version of the Credential Provider also supports Multi-user Mode for terminal server / RDSH – by defaulting the user ID field to blank rather than another user's information – to ensure security for multiple users logging on the same machine.

Prerequisites
SecureAuth IdPSecureAuth App Enrollment RealmWindows Devices / Components
Version 8.0+

(i.e. OATH Provisioning Realm, SecureAuth998) completely configured beforehand

  • Windows 7, 8, 8.1, and 10 for desktops (32-bit or 64-bit support)
  • Windows 2008 for servers (Application Mode) (32-bit only support)
  • Windows 2008 R2, 2012, 2012 R2 for servers (Application and RDSH mode) (64-bit only support)
  • .NET 4.5 Framework
  • SSL certificate that matches the FQDN of the SecureAuth IdP appliance

  • Desktops joined to the domain

Do not install the Credential Provider on the SecureAuth IdP appliance

This can cause a deadlock condition and disable access to the appliance

The Credential Provider only supports the OATH Seed mode (single OATH seed value), and not OATH Token mode (multiple OATH seed values)

SecureAuth IdP Configuration Steps
Execute the following configuration steps in addition to the configuration steps in the App Enrollment / OATH Provisioning Realm
System Info

1. In the App Enrollment Realm / OATH Provisioning Realm, in the Links section of the System Info tab, click Click to edit Web Config file

2. In the web.config file, verify that the <system.serviceModel> section of the authentication realm appears as follows:

NOTE: For SecureAuth IdP versions 8.0.1 and lower, useRequestHeadersForMetadataAddress must be added manually

<system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior>
                <useRequestHeadersForMetadataAddress/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

For 9.0.2 Deployments

If using SecureAuth IdP version 9.0.2, then add the following app setting to the web.config:

<add key="CpValidateOTP" value="False" /> 

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

Installation Steps

The SecureAuth Credential Provider installer supports the Wizard install mode and silent mode installation

1. Contact SecureAuth Support to obtain the latest SecureAuth Credential Provider installer

 

SecureAuth IdP Credential Provider Setup Wizard

 

2. Open the .msi file, which prompts the SecureAuth IdP Credential Provider Setup Wizard

3. Once the Wizard initiates, click Next to continue the installation

2-Factor Bypass Option

 

4. Set the IdP Web Service URL to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the SecureAuth App Enrollment Realm name, and /webservice/profilews.svc, e.g. https://secureauth.company.com/secureauth998/webservice/profilews.svc

5. Provide a list of user group(s) that are allowed to bypass 2-Factor Authentication for login, or leave blank to require 2-Factor for all users

The users belonging to the groups listed are not be required to authenticate to log into desktops / servers

Nested groups are not supported

Groups able to bypass authentication must be an AD "Security Group"

6. Click Next

Complete Installation

 

7. Click Next to confirm the installation

8. Wait for the Credential Provider to install

9. Click Close to complete the installation

 

The silent mode is intended for enterprise administrators who leverage software distribution tools or group policies for MSI distribution / installation

2. Open a Command Prompt with the privileges to execute the installer and type in the following:

msiexec /i "msi-path\SecureAuthIdPCredentialProvider.msi" /qn /l* log-file-name.txt CmdOtpSeedURL=https://secureauth.company.com/secureauth998/webservice/profilews.svc CmdOtpGroupBypassList="Domain Admins" CacheLastUsername=0

Required

Replace msi-path with the actual path of the file, e.g. C:\users\admin\downloads

Check the .msi Filename for accuracy, and ensure that the filename matches the .msi file downloaded before proceeding (e.g. 64-bit or 32-bit)

Replace secureauth.company.com with the actual Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance

Replace secureauth998 with the actual SecureAuth App Enrollment Realm if using a different realm for the OATH Seed Enrollment

Optional

Replace log-file-name with the actual name of the log file

Replace Domain Admins with the actual Group Name(s) that bypass 2-Factor Authentication (comma-delimited)

Set the value for CacheLastUsername to 1 (default) to display the last logged on user in the User ID field (typical for personal laptops)

When the value is set to 0, the User ID field will be blank for every logon (typical for kiosks or servers)

3. Review the Log File text file for any failure or error messages

Optional Server Installation Step

Disable Network Level Authentication (NLA) to allow only locally-stored users to access the VM

Consult the System Administrator on the corporate policy and procedure of disabling NLA

The requirement for OTP can be changed for console or RDP sessions

See the logging section below for the required registry settings

References

  • Remote Desktop Connection 6.0 message:

https://support.microsoft.com/en-us/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e

  • Windows Server 2016 / Windows 10 connection message:

http://blog.zmarzly.me/windows-server-2016-windows-10-the-connection-cannot-proceed-because-authentication-is-not-enabled/

End-user Experience

If upgrading from a previous version of the Credential Provider, then for the initial login, the end-user's device must be connected to the corporate network

 

The login screen displays three text boxes, one for Username, one for Password, and one for OTP

(Optional) Credential Provider Preferences

The Credential Provider (by default) requires 2-Factor Authentication for the local console and for RDP sessions

To change the settings:

1. Select Start and search for regedit

2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > SecureAuth2FactorCP

3. Double-click on each of the registry settings (more information in the section below), enter one of the following options for each, and click OK:

otpRDP: Default is 2

  • otpEnableForRDP = 0 > SecureAuth CP only enforces for local console 2-Factor login
  • otpEnableForRDP = 1 > SecureAuth CP only enforces for RDP session 2-Factor login
  • otpEnableForRDP = 2 > SecureAuth CP enforces for both local and RDP 2-Factor login
(Optional) Activate Logging

By default, the logging feature is turned off

1. To turn on logging for troubleshooting, select Start and search for regedit

2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > SecureAuth2FactorCP

3. Double-click on each of the registry settings, enter one of the following options for each, and click OK:

  • otpLog: Default is 0
    • Enter 1 to enable logging
    • Enter 0 to disable logging
  • otpLogPath: Default is %windir%\Temp (e.g. C:\Windows\Temp)
    • Path where SecureAuth stores the log files

 

4. If 1 is entered to turn on logging in step 3, then click on otpLogPath and enter the location to where the log file is saved

If contacting SecureAuth Support, then send the following logs:

  • OTPCredentialProvider.txt: Used by Support during the initial troubleshooting to analyze what has occurred
  • OTPManager.txt and OTPSeedCalc.txt: Contain code that SecureAuth developers review to troubleshoot complex issues
Uninstall Configuration Steps

1. Double-click the SecureAuth IdP Credential Provider installer

2. Select Remove and then click Next to complete

Enter the following in the Command Prompt:

msiexec /x "msi-path\SecureAuthIdPCredentialProvider.msi" /q

Replace msi-path with the actual path of the file, e.g. C:\users\admin\downloads

Check the .msi Filename for accuracy, and ensure that the filename matches the .msi file downloaded before proceeding (e.g. 64-bit or 32-bit)

Troubleshooting / Common Issues
If additional OTP text box does not display after restart

After initial installation, the credential provider may require an extended period of time to display

If the credential provider does not display, then an additional restart may be required

Error Messages and What They Mean

An internal system error occurred - please contact your system administrator: This typically indicates that something has been misconfigured, or a component is not registered or is missing. It could also mean that a catastrophic error has occurred, such as a memory allocation error or a disk full situation that needs the attention of an administrator. Uninstall and reinstall is recommended.

Invalid Username, Password, or One-Time Password: This typically indicates that either the incorrect credentials were entered or that the user did not perform the initial logon when on the domain. The client computer must be able to reach the SecureAuth IdP appliance and the domain for the initial logon so that the seed values can be cached in the registry and so that the computer can be used offline.

An invalid username was entered - please try again: This indicates that the username could not be parsed due to invalid syntax (e..g,, "\", "\username", "domain\").

Release Notes
Release DateMarch 14, 2016
Version2.5
What's NewTerminal server / RDSH support (multi-user mode)
Update method and location used to store configuration data in registry
New option to suppress last login user ID in user ID field for multi-server workstations or servers (Silent Mode only)
Resolved Issues1666Preserve bypass group and URL on upgrade
1744Feature to not display Last User Login (Silent Mode only)