Documentation

 

 

Security Notice

A critical security vulnerability affects SecureAuth Credential Provider versions 2.6.5 to 2.8.2. SecureAuth recommends all users upgrade to version 2.8.5 immediately.

SecureAuth Support representative, refer to SecureAuth Security Bulletin SA-2018-02 (SecureAuth Credential Provider) for details.

Check out the latest version of the SecureAuth Credential Provider

See Login for Windows or Login for Mac documentation for information about the products that replace the SecureAuth Credential Provider product.

Introduction

Use the SecureAuth IdP Credential Provider to protect Windows Desktops and Servers with an additional Multi-Factor Authentication module.

Companies and organizations use the SecureAuth IdP Credential Provider to enhance typical Windows Logon functions by adding a Multi-Factor Authentication requirement to the username and password validation.

SecureAuth IdP Credential Provider supports usage of the following features:

  • OATH OTP Multi-Factor Authentication method provided by a SecureAuth mobile, desktop, or browser app, or a third-party hardware token
  • online and offline mode
  • Logon and Unlock Windows functions
  • 2-Factor Bypass List of user groups (e.g. Admins) permitted to log on without providing the second factor (OTP)
  • Multi-user Mode for terminal server / RDSH – which defaults the user ID field to blank rather than another user's information – to ensure security for multiple users logging on the same machine

This version of the Credential Provider also lets users securely update password information via SecureAuth's Self-service Password Reset; and companies can enable an additional credential provider to provide users two distinct login methods (such as via smart cards and SecureAuth's Multi-Factor Authentication).

NOTE: The Credential Provider only supports the OATH Seed mode (single OATH seed value), and not OATH Token mode (multiple OATH seed values)

Prerequisites
SecureAuth IdPSecureAuth App Enrollment RealmWindows devices / components 
Version 8.0+

(e.g. SecureAuth998) completely configured beforehand

  • Windows 7, 8.1 or 10 desktop (32-bit or 64-bit support)
  • Windows 2008 R2, 2012 or 2012 R2, 2016 server (64-bit only support)
  • .NET 4.5 Framework
  • SSL certificate matching the FQDN of the SecureAuth IdP appliance
  • Domain-joined desktops
  • Domain or non-domain-joined servers

Do not install the Credential Provider on the SecureAuth IdP appliance – This can cause a deadlock condition and disable access to the appliance

With the exception of the Microsoft-provided credential providers, SecureAuth Credential Provider does not support third-party credential providers

SecureAuth IdP Configuration Steps
Execute the following configuration steps in addition to the configuration steps in the App Enrollment / OATH Provisioning Realm
System Info

1. In the App Enrollment Realm / OATH Provisioning Realm, in the Links section of the System Info tab, click Click to edit Web Config file

2. In the web.config file, verify that the <system.serviceModel> section of the authentication realm appears as follows:

NOTE: For SecureAuth IdP versions 8.0.1 and lower, useRequestHeadersForMetadataAddress must be added manually

<system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior>
                <useRequestHeadersForMetadataAddress/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

For 9.0.2 Deployments

If using SecureAuth IdP version 9.0.2, then add the following app setting to the web.config:

<add key="CpValidateOTP" value="False" /> 

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

Installation Steps

The SecureAuth Credential Provider installer supports the Wizard install mode and silent mode installation

1. Contact SecureAuth Support to obtain the latest SecureAuth Credential Provider installer

 

SecureAuth IdP Credential Provider Setup Wizard

 

2. Start the .msi file which prompts the SecureAuth IdP Credential Provider Setup Wizard

3. Once the Wizard initiates, click Next to continue the installation

2-Factor Bypass Option

 

4. Set the IdP Web Service URL to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the SecureAuth App Enrollment Realm name, and /webservice/profilews.svc, e.g. https://secureauth.company.com/secureauth998/webservice/profilews.svc

5. Provide a list of user group(s) that are allowed to bypass Multi-Factor Authentication at logon, or leave blank to require Multi-Factor Authentication for all users

The users belonging to the groups listed are not required to authenticate to log on desktops / servers

Nested groups are not supported

Groups able to bypass authentication must be an AD "Security Group"

6. Click Next

Optional Features

 

7. Enter the class identifier corresponding to the Windows OS type to provide users the ability to use a smart card as an alternate credential provider, or leave blank to not include an alternate credential provider

8. Click Next

9. Enable Display Last Logon User ID to show the previous user's logon ID in the Username field, or leave unchecked to not show the ID of the last user that logged on

10. Click Next

11. Provide an Additional Authentication Workflow URL and the associated Link Label that will appear beneath the logon entry fields, or leave blank to not include a link to another realm

12. Click Next

 

Complete Installation

 

13. Click Next to confirm the installation

14. Wait for the Credential Provider to install

15. Click Close to complete the installation

 

The silent mode is intended for enterprise administrators that leverage software distribution tools or group policies for MSI distribution / installation

2. Open a Command Prompt with privileges to execute the installer and type in the following (see the box below for more information):

msiexec /i "msi-path\SecureAuthIdPCredentialProvider.msi" /qn /l* log-file-name.txt CmdOtpSeedURL=https://secureauth.company.com/secureauth998/webservice/profilews.svc CmdOtpGroupBypassList="Domain Admins" CacheLastUsername=0 WorkflowURL=https://secureauth.company.com/secureauth# WorkflowLabel="Self-Service Password Reset" AlternateCredentialProvider="CLSID GUID"

Required

Replace msi-path with the actual path of the file, e.g. C:\users\admin\downloads

Check the .msi Filename for accuracy, and ensure that the filename matches the .msi file downloaded before proceeding (e.g. 64-bit or 32-bit)

Replace secureauth.company.com with the actual Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance

Replace secureauth998 with the actual SecureAuth App Enrollment Realm if using a different realm for the OATH Seed Enrollment

Optional

Replace log-file-name with the actual name of the log file

Replace Domain Admins with the actual Group Name(s) that bypass Multi-Factor Authentication (comma-delimited)

Set the value for CacheLastUsername to 1 (default) to display the last logged on user in the User ID field (typical for personal laptops)

When the value is set to 0, the User ID field is blank for every logon (typical for kiosks or servers)

Set values for WorkflowURL, WorkflowLabel, and AlternateCredentialProvider specific to the realm location, workflow type, and alternate credential provider method

3. Review the Log File text file for any failure or error messages

If upgrading from a previous version of the Credential Provider, then for the initial logon, the end-user's device must be connected to the corporate network

Optional Server Installation Step

Disable Network Level Authentication (NLA) to allow only locally-stored users to access the VM

Consult the System Administrator on the corporate policy and procedure of disabling NLA

The requirement for OTP can be changed for console or RDP sessions

See the logging section below for the required registry settings

References

  • Remote Desktop Connection 6.0 message:

https://support.microsoft.com/en-us/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e

  • Windows Server 2016 / Windows 10 connection message:

http://blog.zmarzly.me/windows-server-2016-windows-10-the-connection-cannot-proceed-because-authentication-is-not-enabled/

End-user Experience

The sample screen shows a Windows 7 machine in an environment using an alternate credential provider

On the main logon screen, if an alternate credential provider was configured, then the Credential Provider and Smart Card tiles appear

1. Select a tile to go to the authentication logon screen

The sample screen shows a Windows 7 machine in an environment using an alternate authentication URL

On the authentication logon screen, Username, Password, and OTP fields appear

If the Additional Authentication Workflow URL was configured, then the link to that realm appears beneath the group of text fields

2. Make entries in the Username, Password, and OTP fields, and click the submit button

Or click the link to the additional authentication realm...

Enter authentication criteria in the field(s) and click Submit

Click Switch User to return to the prior screen, and select the other tile to use the alternate credential provider

(Optional) Credential Provider Preferences

The Credential Provider (by default) requires Multi-Factor Authentication for the local console and for RDP sessions

To change the settings:

1. Select Start and search for regedit

2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > SecureAuth2FactorCP

3. Double-click each of the registry settings (more information in the section below), enter one of the following options for each selection, and click OK:

otpRDP: Default is 2

  • otpEnableForRDP = 0 > SecureAuth CP only enforces for local console 2-Factor logon
  • otpEnableForRDP = 1 > SecureAuth CP only enforces for RDP session 2-Factor logon
  • otpEnableForRDP = 2 > SecureAuth CP enforces for both local and RDP 2-Factor logon
(Optional) Activate Logging

By default, the logging feature is disabled

1. To enable logging for troubleshooting, select Start and search for regedit

2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > SecureAuth2FactorCP

3. Double-click each of the registry settings, enter one of the following options for each selection, and click OK:

  • otpLog: Default is 0
    • Enter 1 to enable logging
    • Enter 0 to disable logging
  • otpLogPath: Default is %windir%\Temp (e.g. C:\Windows\Temp)
    • Path where SecureAuth stores the log files

 

4. If 1 is entered in step 3 to enable logging, then click otpLogPath and enter the location to specify where the log file is saved

If contacting SecureAuth Support, then send the following logs:

  • OTPCredentialProvider.txt: Used by Support during the initial troubleshooting to analyze what has occurred
  • OTPManager.txt and OTPSeedCalc.txt: Contain code that SecureAuth developers review to troubleshoot complex issues
Uninstall Configuration Steps

1. Double-click the SecureAuth IdP Credential Provider installer

2. Select Remove and then click Next to complete

Enter the following at the Command Prompt:

msiexec /x "msi-path\SecureAuthIdPCredentialProvider.msi" /q

Replace msi-path with the actual path of the file, e.g. C:\users\admin\downloads

Check the .msi Filename for accuracy, and ensure that the filename matches the .msi file downloaded before proceeding (e.g. 64-bit or 32-bit)

Troubleshooting / Common Issues
If additional OTP text box does not display after restart

After initial installation, the Credential Provider may require an extended period of time to display

If the Credential Provider does not display, then an additional restart may be required

Error Messages and What They Mean

An internal system error occurred - please contact your system administrator: This typically indicates that something has been misconfigured, or a component is not registered or is missing. It could also mean that a catastrophic error has occurred, such as a memory allocation error or a disk full situation that requires the attention of an administrator. Uninstall and reinstall is recommended.

Invalid Username, Password, or One-Time Password: This typically indicates that either incorrect credentials were entered or the user did not perform the initial logon when on the domain. The client computer must be able to reach the SecureAuth IdP appliance and the domain for the initial logon so the seed values can be cached in the registry and the computer can be used offline.

An invalid username was entered - please try again: This indicates the username could not be parsed due to invalid syntax (e..g,, "\", "\username", "domain\").

Release Notes

Date

June 30, 2016

Version

2.6.5
What's New1625

The Self-Service Password Reset (SSPR) option lets an end-user perform a password reset function before logging on the Windows desktop

The administrator can enable any URL – including a SecureAuth SSPR page – to appear on the embedded browser to provide an additional logon method

1815An option is available to not display the last logged on user – this is useful for security purposes
1840An option is available to enable an additional credential provider – this provides the user two different logon methods (e.g. CLSID smart card and SecureAuth 2-Factor Authentication)
1924TLS 1.0 is no longer required to be enabled on the client computer – this is for security purposes
Known Issues2020On Windows 10 OS, the end-user may experience a 30-second delay before the alternate credential provider option is available
2097On Windows 8.1 and 10 OS, if using multiple credential providers, similar icons may appear on credential provider tiles which can make it difficult for the end-user to identify the tile to use until clicking it
2132When an end-user enters an incorrect password, the Active Directory failed password count might be incremented twice