SecSign ID Plugin: Windows Services

2016-12-15 5 minutes to read
Tutorial Index

Two-Factor Authentication for Windows Services (Windows Server)

Use SecSign ID to enable two factor authentication on your Windows Server with an easy and highly secure user login using iOS or Android mobile devices. SecSign ID two factor authentication adds another layer of security by using a second token. In this case the physical token is your smartphone. Alternatively, an one-time password based on RFC 6238 (TOTP: Time-Based One-Time Password Algorithm) may be used for the login.

Feel free to get in touch with us if you need help setting up your SecSign ID plugin or to request a plugin for a not yet supported environment.

Enrollment

Active Directory Two-Factor Authentication Activation and Extension

This article describes the activation for your Active Directory users for the integration with your Windows system.
Your users are stored in the Active Directory. In order to activate the two-factor authentication for users and user groups you have two options.

Activate the two-factor authentication without schema extension”

Your users are managed in the Active Directory and can be divided in security groups, for example “2FA required” for administrators. The Active Directory has the information, that the user requires an additional authentication by an external Identity Provider (IdP) after a successful password and user name authentication.
This Identity Provider is the SecSign ID two-factor authentication server, that can be either run on-premise or in the SecSign ID Cloud.
The request is here similar to a SAML-authentication, all required information (user name, group,…) is transmitted to the IdP. The SecSign ID IdP can then start the Authentication with the received information.

Please contact us if you prefer to activate the 2FA without a schema extension.

MORE INFORMATION

Activate the two-factor authentication without schema extension

The Active Directory can be edited using mmc.exe which is part of Windows Server 2012. The Snap-in „Active Directory Schema“ is initially not available in mmc.exe, but can be added by running regsvr32 schmmgmt.dll in a console with administrator rights:

Then, mmc.exe should be started. The search function integrated into Windows Server 2012 will find it. The entry Add/Remove Snap-in in the File menu of mmc.exe opens a dialog containing the entry Active Directory Schema. This entry should be selected and added to the Console Root on the right, followed by a click on OK:

Selecting the Attributes node and choosing Create Attribute… from its context menu will display the following dialog.

Here, a „SecSign ID“ attribute has to be created with:

  • Common Name: SecSign ID
  • LDAP Display Name: secSignID
  • Unique X500 Object ID: 1.3.6.1.4.1.15027.4.1
  • Description: SecSign ID user name
  • Syntax: Unicode String
  • Minimum: 4

Then, the Properties entry in the context menu of the user entry below the Classes node will display this dialog.

The optional attribute secSignID created in the step before has to be added here.
Now the Active Directory schema is ready and the Windows administrator may add the actual SecSign ID user name to each user. The following Power Shell command assigns the SecSign ID user name paulsmith to the Windows user paul:

To query the user’s SecSign ID:

To delete the SecSign ID:

In larger installations there may be tool allowing the users to edit this value in the Active Directory themselves.

Windows Login

2FA for Credential Provider / Windows Login

The SecSign ID credential provider adds an SecSign ID log-in after the interactive Windows log-on with user name and password. This affects direct log-ins at the PC as well as Remote Desktop connections.

Windows Login: Prerequisites

The SecSign ID Credential Provider looks up the SecSign ID user name of a Windows user in the Active Directory of the Windows domain. Therefore:

  • The PC on which the credential provider is install must be member of a Windows domain and
  • The SecSign ID Login following the password login is active for those users that have a SecSign ID user name added to their user attribute as well as for those users that are members of a pre-configured 2FA user group in the Windows Active Directory.
    All other users will only need the login with a Windows password and no 2FA. Section 1 describes the required Active Directory setup.

Windows Login: Installation

Run SecSignCredProv-Setup.exe.

The installer will automatically download and install Microsoft’s Visual Studio 2015 runtime components as well as the .NET 4 runtime if not installed yet.

The SecSign ID Credential provider uses the following registry keys which you will find at HKLM\SOFTWARE\SecSign\CredentialProvider.
Please edit them to match your environment.

– ServiceNameForSecSignApp: The name of your service for which the login will be secured by the SecSign ID. The SecSignApp will display this text during the log-in.

– ServiceAddressForSecSignApp: The address of your service for which the login will be secured by the SecSign ID. The SecSignApp will display this text during the log-in. Typically this is a URL.

– SecSignIDServerHostName: The host name of the SecSign ID Server.

– SecSignIDServerPort: The port at the SecSign ID Server for requests from mobile devices.

– UserGroupWithSecSignIDLogin: Name of the user group in the Active Directory that contains the users who will need to perform a 2FA after their password login. The SecSign ID user name is sAMAccountName of the Windows user.
We recommend using a customized SecSign ID app in this scenario to ensure that a SecSign ID with this specific name can only be created, if the user knows the corresponding Windows Password.
Users in subgroups are considered members of the group.

– FallbackSecSignIDServerHostName: The host name of the optional fallback SecSign ID Server if you have one.

– FallbackSecSignIDServerPort: The port at the optional fallback SecSign ID Server for requests from mobile devices.

Windows Login: Login

With the SecSign ID Credential Provider installed, the Windows log-in consists of:

  1. Windows username and password entry.
  2. SecSign ID approval on the mobile device.

The Login with the SecSign ID may be performed by selecting the corresponding access pass in the SecSign App or with an one-time password that is displayed either in an authenticator app or the display of a hardware ID Token.

Login with Access Pass




Login with OTP (one-time password)



2.4 Safe Mode

The SecSign ID Credential Provider is not active if Windows is booted into Safe Mode. That means it has to made sure that users cannot reboot Windows into Safe Mode.

MS Remote Desktop Web

2FA for MS Remote Desktop Web Access

Microsoft’s Remote Desktop Web Access service allows to run published Windows applications from a browser. If the SecSign ID log-in has been added to the RD Web Access site then after the usual log-in with Windows user name and password a second page asks for confirmation of the log- in using SecSign ID:

MS Remote Desktop Web Access: Installation

Log-in using a domain administrator account an the Windows Server which has the RD Web Access role. Then run SecSign-RD-WebAccess-Setup.exe:

Run cmd.exe or a PowerShell

  • Type: certlm.msc
  • Select the node Certificates – Local Computer -> Personal -> Certificates.
  • Select the HTTPS certificate of this host.
  • Select All Tasks -> Manage Private Keys… from the context menu of the certificate.
  • Add Read permissions for the SERVICE account.
  • The integration of SecSign ID into the Microsoft Remote Desktop Web Access log-in requires to edit five files in C:\Windows\Web\RDWeb. This installer has placed an example of each file with the required modifications into this folder and its subfolders. The example files have the same file name plus the extension SecSignID.
  • Run a diff tool like ExamDiff or Araxis Merge.
  • Integrate the modifications from the example files having .SecSignID as extension into the original files on your machine. Be careful since your files may have other modifications already which you probably want to keep. For example you may have modified the files in the past to present the RD Web Access site in your corporate design.
  • If you are unsure how to do the modifications we will be happy to perform the modifications for you. In this case please send us a copy of the respective files or the whole RDWeb folder to support@secsign.com.
  • Run regedit.exe.
  • Open HKEY_LOCAL_MACHINE\SOFTWARE\SecSign\RDWebAccess.
  • Set SecSignIDServerHostName and SecSignIDServerPort to the host name and port of your SecSign ID Server. You will find the port number in the properties files of your SecSign ID Server in the line secsignidserver.port=… .
  • If you have a second SecSign ID Server enter its host name and address in FallbackSecSignIDServerHostName and FallbackSecSignIDServerPort. Otherwise, you may enter the values of the primary SecSign ID Server again.
  • The values configured in ServiceAddressForSecSignApp and ServiceNameForSecSignApp will be displayed in the user’s SecSign App during a log-in.
  • SharedSecretWithRDGateway shall contain any random bytes. Please type any arbitrary characters here but make sure that the length remains 64 bytes.

After installing the SecSign ID plug-in for Microsoft Remote Desktop Gateway the shared secret has to be copied there. The SecSign ID RD Web Access plug-in uses the secret to sign a gateway access token which it inserts into the RDP files of each published application. The SecSign ID RD Gateway plug-in will validate the signature using the same secret.

Finally, open your RD Web Access URL in a browser, log-in using your Windows user name and password and test the SecSign ID log-in. If anything fails the Windows Event Log will contain more information in Windows Logs → Application with the source SecSign ID RD Web Access.

MS Remote Desktop Gateway

2FA for Microsoft Remote Desktop Gateway

The SecSign ID log-in integration into RD Web Access alone only protects the RD Web Access log-in in a browser. A user who knows the necessary details to create an RDP file could log-in directly at the RD Gateway using the Remote Desktop Client. Furthermore, users could download RDP files generated by RD Web Access and use them again later without logging in at the RD Web Access site again.

The SecSign ID PAA (pluggable authentication and authorization) plug-in for Microsoft’s Remote Desktop Gateway prevents the aforementioned unwanted direct log-ins at the RD Gateway. To achieve this, the SecSign ID plug-in validates the signature of the gateway access token which has been inserted into the RDP file by the SecSign ID RD Web Access plug-in after a successful SecSign ID log-in at the RD Web Access site using a browser.

  • Log-in using a domain administrator account an the Windows Server which has the RD Gateway role.
  • Run SecSign-RD-Gateway-Setup.
  • Run regedit.exe.
  • Open HKEY_LOCAL_MACHINE\SOFTWARE\SecSign\RDGatewayAuthentication.
  • SharedSecretWithRDWebAccess has to contain exactly the same 64 bytes as the respective
    value SharedSecretWithRDGateway in the adjacent registry key RDWebAccess.
  • AccessTokenMaxAgeSeconds defines for how many seconds after a RD Web Access log-in the generated RDP files are allowed to run the published applications. The remote desktop client’s connection to the RD session host remains open for a certain time. During this time the opening of published applications is still possible even if AccessTokenMaxAgeSeconds has expired already. A user may always generate fresh RDP files by reloading the RD Web Access page in his browser. Only someone you downloads and copies an RDP file cannot use it after the RD Web Access log-out or on another computer when AccessTokenMaxAgeSeconds has expired.

The Windows Event Log will contain information about SecSign ID log-ins in „Windows Logs → Application“ with the source „SecSign ID RD Gateway“.

Radius Proxy

2FA for Radius Proxy

The SecSign ID RADIUS proxy allows to add the SecSign ID log-in to systems with RADIUS support. This includes for example a VPN log-in to a Windows Server 2012. A RADIUS client who wants to process the log-in of a user will send a request to the SecSign ID RADIUS proxy. The proxy will forward the primary authentication containing information about user name and password to a forward RADIUS server. If this server has validated user name and password and allows the log-in the proxy will initiate a SecSign ID log-in as a secondary authentication. The user then authenticates the log-in using his private 2048 bit key in the SecSignApp on his smart phone. Finally, the SecSign ID RADIUS proxy will inform the RADIUS client about the success of the log-in.

Radius Proxy: Installation

Java VM

As the SecSign ID RADIUS proxy is written in Java it can be run on any operating system with Java support like for example Windows or Linux. So the first step of the installation is to install a recent Java virtual machine preferable with 64 bit available at Oracle’s web site.

SecSign ID RADIUS proxy installation

The directory SecSignIDRadiusProxy contains the application code in a JAR file and its configuration file. This directory has to be copied to the system that shall run the SecSign ID RADIUS proxy.

SecSign ID RADIUS proxy configuration file

The configuration file secradiusproxy.properties needs to be edited:
The default port number of RADIUS is 1812. If necessary, if different value may be set here:

If the SecSign ID RADIUS proxy shall only bind to a specific IP address it may be specified here. The default is to bind to all IP addresses the machine has.

For each RADIUS client (for example a Microsoft Windows Server) the proxy needs to know the IP address and the shared secret. The list of RADIUS clients starts with the index ‘0’ and may have any number of entries which are consecutitvely numbered.

The proxy also needs to know where to forward the RADIUS access requests for validation of the primary authentication credentials (user name and password). This forward RADIUS server may be for example another Microsoft Windows Server or even the same as the RADIUS client.

For each Windows user whose log-in shall be secured be the SecSign ID the Active Directory must contain an attribute containing the SecSign ID user name of this user. The proxy uses an LDAP connection to query the SecSign ID user name in the Active Directory. For this LDAP connection it needs the name and password of a technical user with read access to the users branch of the Active Directory. Furthermore, the base DN will tell the proxy where to find the users branch in the LDAP tree. The recommended full name of this technical user is SecSign ID Radius Proxy and its descrption: Technical user to allow AD LDAP queries for the SecSign ID RADIUS proxy.

The proxy will keep a copy of each received RADIUS packet for a certain time in order to recognize duplicate packets. The proxy will also remember the Windows user names for whom it is waiting for the completion of the SecSign ID log-in. The proxy will not start a new log-in session for such users if requested by the RADIUS client. The time out for both list entries can be specified here.

In order to initiate a SecSign ID log-in the SecSign ID RADIUS proxy needs the host name of the SecSign ID server and optionally of fallback SecSign ID servers:

The connection to the SecSign ID server is TLS encrypted. Therefore, a DER encoded trusted certificate of the SecSign ID server may be configured. If the server uses a certificate issued on its official DNS name by a regular trustcenter this configuration entry is not necessary.

A timeout value be set after which the proxy tries to send its request to the next fallback SecSign ID server:

The SecSign ID RADIUS proxy may use a HTTP proxy to send requests to the SecSign ID server. The HTTP proxy has the following settings:

If certain hosts can be reached without the general HTTP proxy they can be named here:

The SecSign ID RADIUS proxy may write a log file. It contains all messages whose severity is equal to or above a specified level.

The levels are:

  • 0: Error
  • 10: Warning
  • 20: Standard
  • 30: Usage
  • 40: Event
  • 50: Debug
  • 60: Verbose

The proxy may begin a new log file each day:

Radius Proxy: Start

The proxy can be started with:

The proxy will output messages like:

Pressing ^C in the terminal window will end the proxy.

Radius Proxy: Windows Server 2012 R2 as Radius Client

The SecSign ID RADIUS proxy can be used with different systems that support RADIUS. As an example the following section shows how to configure the SecSign ID RADIUS proxy in a Microsoft Windows Server 2012.

In the Server Manager the option Network Policy Server in the Tools menu will open the configuration of the Network Policy Server. A new RADIUS server can be added at the node NPS (Local) – RADIUS Clients and Servers – Remote RADIUS Server Groups. There, in the context menu the option New opens the following dialog in which a RADIUS server group with a name like SecSign ID RADIUS proxy group may be created:

The button Add shows a dialog in which the IP address or host name of the SecSign ID RADIUS proxy can be added:

The shared secret has to be entered in the Authentication/Accounting tab. It must be identical to the value of secradiusproxy.radiusclient..sharedsecret in the configuration file of the proxy.

In the Load Balancing tab it is necessary to set the Number of seconds without response before a request is considered dropped to at least 60 seconds. This time allows the user to perform the SecSign ID authentication on his smart phone. The SecSign ID RADIUS proxy cannot answer the RADIUS client before the SecSign ID log-in is completed.

Now, the Microsoft Network Policy Server will be configured to send RADIUS requests to the SecSign ID RADIUS proxy in case of for example a VPN log-in: Selecting the node NPS (Local) – Policies – Connection Request Policies shows the following dialog:

A double click on Microsoft Routing and Remote Access Service Policy displays a dialog in which the tab Settings has to be selected. The node Forwarding Connection Request – Authentication allows to determine that RADIUS requests shall be forwarded to the SecSign ID RADIUS proxy:

Radius Proxy: Windows Server 2012 R2 as Forward Radius Server

The SecSign ID RADIUS proxy can forward RADIUS requests to different systems that support RADIUS. As an example the following section shows how to allow the SecSign ID RADIUS proxy as a RADIUS client in a Microsoft Windows Server 2012.

In the Server Manager the option Network Policy Server in the Tools menu will open the configuration of the Network Policy Server. A new RADIUS client can be added at the node NPS (Local) – RADIUS Clients and Servers – RADIUS Clients. There, in the context menu the option New opens the following dialog in which a RADIUS client with a name like SecSign ID RADIUS proxy may be created.

The IP address or DNS host name is the one of the machine running the SecSign ID RADIUS proxy. The shared secret is the same which was specified as secradiusproxy.forwardradiusserver.sharedsecret in the configuration file of the proxy.

2FA for Windows VPN

If the SecSign ID RADIUS proxy is integrated into a Microsoft Windows Server infrastructure it can be used to secure for example the log-in of a Windows 8.1 VPN client with SecSign ID.

To create a VPN connection using Microsoft Windows 8.1, open the Windows Control Panel and then the Network and Sharing Center. Select:

  • Set up a new connection or network
  • Connect to a workplace and finally:
  • Use my Internet connection (VPN)

In this example, the Internet address of the VPN target is win2012r2.secsignersde.com and the destination is described by the name: „VPN with SecSign ID“

Pressing Create opens the Windows side bar showing all connections. Selecting VPN with SecSign ID and clicking on Connect opens a password entry asking for the Windows user name and password having an account at the VPN target:

When Window 8.1 says Verifying your credentials, please authenticate the log-in in the SecSignApp on your smart phone.

If desired, the authentication methods for the VPN connection can be changed in the network adapter settings in the Network and Sharing Center of the Windows Control Panel. The SecSign ID RADIUS proxy supports the authentication methods MS-CHAP v2 and PAP:


[/section]

Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

Options for secure SSO for Atlassian products

Options for securing Atlassian SSO Your users and passwords and services are all over the place? You want to simplify your security and authentication setup but you don’t know where to start? Move beyond your authentication ...

Mehr Lesen

Multi-Factor Authentication powered IdM/IAM

Multi-Factor Authentication powered IdM/IAM with SecSign ID Your users and passwords and services are all over the place? You want to simplify your security and authentication setup but you don’t know where to start? Move bey ...

Mehr Lesen

Atlassian JIRA and Confluence Two-Step Authentication and IP-SafeZone

With SecSign ID you can protect all your logins with a secure Two-Factor Authentication based on a challenge response. The authentication offers the highest protection for the company data while being incredibly simple to us ...

Mehr Lesen