Documentation

 

 

Security Notice

A critical security vulnerability affects SecureAuth Credential Provider versions 2.6.5 to 2.8.2. SecureAuth recommends all users upgrade to version 2.8.5 immediately.

SecureAuth Support representative, refer to SecureAuth Security Bulletin SA-2018-02 (SecureAuth Credential Provider) for details.

SecureAuth Credential Provider v2.8.5 (the last version released for this product) is compatible with SecureAuth IdP versions 8.x - 9.1

See Login for Windows or Login for Mac documentation for information about the products which replace the SecureAuth Credential Provider product in SecureAuth IdP v9.2:

Introduction

Use the SecureAuth IdP Credential Provider to protect Windows Desktops and Servers with an additional Multi-Factor Authentication module.

Companies and organizations use the SecureAuth IdP Credential Provider to enhance typical Windows Logon functions by adding a Multi-Factor Authentication requirement to the username and password validation.

SecureAuth IdP Credential Provider supports usage of the following features:

  • OATH OTP Multi-Factor Authentication method provided by a SecureAuth mobile, desktop, or browser app, or a third-party hardware token
  • online and offline mode
  • Logon and Unlock Windows functions
  • 2-Factor Bypass List of user groups (e.g. Admins) permitted to log on without providing the second factor (OTP)
  • Multi-user Mode for terminal server / RDSH – which defaults the user ID field to blank rather than another user's information – to ensure security for multiple users logging on the same machine
  • SecureAuth Self-service Password Reset which lets users securely update their password information
  • additional credential provider which lets users employ two distinct login methods (such as via smart cards and SecureAuth's Multi-Factor Authentication)

With this latest version of the SecureAuth Credential Provider, all transactions are further secured by username, password, and OTP validation via SecureAuth's Cloud Services and Windows IWA. The configuration can also be altered to remove the OTP requirement in order to enable Self-service Password Reset for Windows login credentials (see the Optional Configuration section below for more information).

For SecureAuth IdP appliances 8.0.0 - 9.0.1, the ProfileWS Hotfix must be installed on the SecureAuth IdP appliance to use Credential Provider v2.8.5, after upgrading to / installing CP v2.8.5

Refer to the SecureAuth IdP ProfileWS Hotfix 170412 for installation steps and other necessary information

For SecureAuth IdP appliances 9.0.2+, the hotfix is not required, but see the 9.0.2 Configurations Steps section in the Prerequisites below for possible requirements

NOTE: The Credential Provider only supports the OATH Seed mode (single OATH seed value), and not OATH Token mode (multiple OATH seed values)

Do not install the Credential Provider on the SecureAuth IdP appliance – This can cause a deadlock condition and disable access to the appliance

With the exception of the Microsoft-provided credential providers, SecureAuth Credential Provider does not support third-party credential providers

Prerequisites
SecureAuth IdPSecureAuth App Enrollment RealmWindows devices / components 
Version 8.0+

(e.g. SecureAuth998) completely configured beforehand

  • Windows 7, 8.1 or 10 desktop (32-bit or 64-bit support)
  • Windows 2008 R2, 2012 or 2012 R2, 2016 server (64-bit only support)
  • .NET 4.5 Framework
  • SSL certificate matching the FQDN of the SecureAuth IdP appliance
  • Domain-joined desktops
  • Domain or non-domain-joined servers

Complete the Configuration Steps for SecureAuth IdP version 9.0.2 (if applicable)

SecureAuth IdP 9.0.2 Configuration Steps

If currently using the Credential Provider on a 9.0.2 appliance, then delete the following appSetting from the Provisioning Realm's web.config file:

<add key="CpValidateOTP" value="False" />

NOTE: This setting may not be present in the web.config file; and if it is not, then no action is required


This setting may have been added to the file to enable compatibility with the earlier versions of the Credential Provider, but with the upgrade, it is no longer required

With Credential Provider v2.8.2 or greater, this appSetting should not be present in the web.config

SecureAuth IdP Configuration Steps
Execute the following configuration steps in addition to the configuration steps in the App Enrollment / OATH Provisioning Realm
System Info

1. In the App Enrollment Realm / OATH Provisioning Realm, in the Links section of the System Info tab, click Click to edit Web Config file

2. In the web.config file, verify that the <system.serviceModel> section of the authentication realm appears as follows:

NOTE: For SecureAuth IdP versions 8.0.1 and lesser, useRequestHeadersForMetadataAddress must be added manually

<system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior>
                <useRequestHeadersForMetadataAddress/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

Installation Steps

The SecureAuth Credential Provider installer supports the Wizard install mode and silent mode installation

1. Contact SecureAuth Support to obtain the SecureAuth IdP Credential Provider for Windows (either 32-bit or 64-bit)
 

SecureAuth IdP Credential Provider Setup Wizard

 

2. Start the .msi file which prompts the SecureAuth IdP Credential Provider Setup Wizard

3. Once the Wizard initiates, click Next to continue the installation

2-Factor Bypass Option

4. Set the IdP Web Service URL to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the SecureAuth App Enrollment Realm name, and /webservice/profilews.svc, e.g. https://secureauth.company.com/secureauth998/webservice/profilews.svc

The IdP Web Service URL is required for all installations, even those upgrading from a previous version of the Credential Provider

If the URL is not provided here, then the installer will not complete and will require reinstallation / configuration

5. Provide a list of user group(s) that are allowed to bypass Multi-Factor Authentication at logon, or leave blank to require Multi-Factor Authentication for all users

The users belonging to the groups listed are not required to authenticate to log on desktops / servers

Nested groups are not supported

Groups able to bypass authentication must be an AD "Security Group"

6. Click Next

Optional Features

 

7. Enter the class identifier corresponding to the Windows OS type to provide users the ability to use a smart card with an alternate credential provider, or leave blank to not include an alternate credential provider

This value is unique to the Microsoft Credential Provider being used and must be obtained by the customer

8. Click Next

9. Check Display Last Logon User ID to show the previous user's logon ID in the Username field, or leave unchecked to not show the ID of the last user that logged on

This option can be employed only on desktops, and does not work for Windows Server logins

10. Click Next

11. Provide an Additional Authentication Workflow URL (e.g. the Self-service Password Reset realm) and the associated Link Label that appears beneath the logon entry fields, or leave blank to not include a link to another realm

12. Click Next

 

Complete Installation

 

13. Click Next to confirm the installation

14. Click Yes to allow the software to be installed on the machine

15. Click Close to complete the installation

 

The silent mode is intended for enterprise administrators that leverage software distribution tools or group policies for MSI distribution / installation

2. Open a Command Prompt with privileges to execute the installer and type in the following (see the box below for more information):

msiexec /i "msi-path\SecureAuthIdPCredentialProvider.msi" /qn /l* log-file-name.txt OtpSeedURL=https://secureauth.company.com/secureauth998/webservice/profilews.svc OtpGroupBypassList="Domain Admins" CacheLastUsername=0 WorkflowURL=https://secureauth.company.com/secureauth# WorkflowLabel="Self-Service Password Reset" AlternateCredentialProvider="CLSID GUID"

Required:

Replace msi-path with the actual path of the file, e.g. C:\users\admin\downloads

Check the .msi Filename for accuracy, and ensure that the filename matches the .msi file downloaded before proceeding (e.g. 64-bit or 32-bit)

Replace secureauth.company.com with the actual Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance

Replace secureauth998 with the actual SecureAuth App Enrollment Realm if using a different realm for the OATH Seed Enrollment

Optional:

Replace log-file-name with the actual name of the log file

Replace Domain Admins with the actual Group Name(s) that bypass Multi-Factor Authentication (comma-delimited)

Set the value for CacheLastUsername to 1 (default) to display the last logged on user in the User ID field (typical for personal laptops)

When the value is set to 0, the User ID field is blank for every logon (typical for kiosks or servers)

Set values for WorkflowURL, WorkflowLabel, and AlternateCredentialProvider specific to the realm location, workflow type, and alternate credential provider method

3. Review the Log File text file for any failure or error messages

If upgrading from a previous version of the Credential Provider, then for the initial logon, the end-user's device must be connected to the corporate network

Optional Server Installation Step:

Disable Network Level Authentication (NLA) to allow only locally-stored users to access the VM

Consult the System Administrator on the corporate policy and procedure of disabling NLA

The requirement for OTP can be changed for console or RDP sessions

See the logging section below for the required registry settings

References:

  • Remote Desktop Connection 6.0 message:

https://support.microsoft.com/en-us/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e

  • Windows Server 2016 / Windows 10 connection message:

http://blog.zmarzly.me/windows-server-2016-windows-10-the-connection-cannot-proceed-because-authentication-is-not-enabled/

End-user Experience

 

 

The sample screen shows an environment using an alternate credential provider

On the main logon screen, if an alternate credential provider is configured in step 7, then select the additional Credential Provider option and insert the smart card

The sample screen shows an environment using an alternate authentication URL (e.g. Self-service Password Reset)

On the authentication logon screen, Username, Password, and OTP fields appear

If the Additional Authentication Workflow URL is configured, then the link to that realm appears beneath the group of text fields

2. Make entries in the Username, Password, and OTP fields, and click the submit button
 

Or click the link to the additional authentication realm...

Enter authentication criteria in the field(s) and click Submit

(Optional) Credential Provider Preferences

The Credential Provider (by default) requires Multi-Factor Authentication for the local console and for RDP sessions

To change the settings:

1. Select Start and search for regedit

2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > SecureAuth2FactorCP

3. Double-click each of the registry settings (more information in the section below), enter one of the following options for each selection, and click OK:

otpRDP: Default is 2

  • otpEnableForRDP = 0 > SecureAuth CP only enforces for local console 2-Factor logon
  • otpEnableForRDP = 1 > SecureAuth CP only enforces for RDP session 2-Factor logon
  • otpEnableForRDP = 2 > SecureAuth CP enforces for both local and RDP 2-Factor logon
  • otpEnableForRDP = 3 > SecureAuth CP does not enforce OTP, only username and password
    • This is to enable the use of Self-service Password Reset for Windows login without requiring users to authenticate into the machine

(Optional) Activate Logging

By default, the logging feature is disabled

1. To enable logging for troubleshooting, select Start and search for regedit

2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > SecureAuth2FactorCP

3. Double-click each of the registry settings, enter one of the following options for each selection, and click OK:

  • otpLog: Default is 0
    • Enter 1 to enable logging
    • Enter 0 to disable logging
  • otpLogPath: Default is %windir%\Temp (e.g. C:\Windows\Temp)
    • Path where SecureAuth stores the log files

 

4. If 1 is entered in step 3 to enable logging, then click otpLogPath and enter the location to specify where the log file is saved

If contacting SecureAuth Support, then send the following logs:

  • OTPCredentialProvider.txt: Used by Support during the initial troubleshooting to analyze what has occurred
  • OTPManager.txt and OTPSeedCalc.txt: Contain code that SecureAuth developers review to troubleshoot complex issues
Uninstall Configuration Steps

1. Double-click the SecureAuth IdP Credential Provider installer

2. Select Remove and then click Next to complete

Enter the following at the Command Prompt:

msiexec /x "msi-path\SecureAuthIdPCredentialProvider.msi" /q

Replace msi-path with the actual path of the file, e.g. C:\users\admin\downloads

Check the .msi Filename for accuracy, and ensure that the filename matches the .msi file downloaded before proceeding (e.g. 64-bit or 32-bit)

Troubleshooting / Common Issues
If additional OTP text box does not display after restart

After initial installation, the Credential Provider may require an extended period of time to display

If the Credential Provider does not display, then an additional restart may be required

Error Messages and What They Mean

An internal system error occurred - please contact your system administrator: This typically indicates that something has been misconfigured, or a component is not registered or is missing. It could also mean that a catastrophic error has occurred, such as a memory allocation error or a disk full situation that requires the attention of an administrator. Uninstall and reinstall is recommended.

Invalid Username, Password, or One-Time Password: This typically indicates that either incorrect credentials were entered or the user did not perform the initial logon when on the domain. The client computer must be able to reach the SecureAuth IdP appliance and the domain for the initial logon so the seed values can be cached in the registry and the computer can be used offline.

An invalid username was entered - please try again: This indicates the username could not be parsed due to invalid syntax (e..g,, "\", "\username", "domain\").

Release Notes

Version 2.8.5

Release Date: May 14, 2018

Fixed Issue: This release includes an important security vulnerability fix only.