Implement MFA

Implement MFA

Implement MFA/SSO

UserLock offers many solutions. In this post, we will see how to manage two-factor authentication using UserLock. You can now protect your Active Directory session.

Prerequisites

A lot of prerequisites must be respected. You can use this link for see all prerequisites.

Install UserLock

You can install UserLock on member server. It’s better to not install on your Domain Controller Active Directory. UserLock not modify your Active Directory domain or Active Directory Schema.

Download the setup file here.

UserLock - Download UserLock setup file

After creating the account, you can download the file.

Implement MFA/SSO Download file

Run the previously downloaded file. A wizard appear, select the language and click on OK.

Implement MFA/SSO Setup tools

Click on Next on the welcome windows.

Welcome screen

Check I accept the terms in the licence agreement and click on Next.

Accept Licence Agrrement

Leave the default value on the Setup type windows and click on Next.

Setup type

Click on Install then on Finish. A new wizard appear, click on Next.

New wizard on UserLock install

It’s my first server, check Primary Server and click on Next.

select primary option server

Select Organizational Unit or domain that you want manage with UserLock. You can uncheck object that you don’t want manage.

Select object that you want not manage

Enter credential for Userlock service impersonation account and click on Next.

Configure account for impersonation

Click on Finish for run the UserLock administration console.

Finish install of userLock

Install UserLock agent

From the UserLock administration console, click on Agent distribution then select the desired computer. Click on Install to launch installation of the agent. You can install automatically agents with Install Automatically agents button.

Install agent on computer

The result appear in the console.

Process running on my server who agent has been installed.

process running on my server

I repeat the same step on my workstation (Windows 10 2004)

Add protected account

From the UserLock administration console, click on Protected account then on Protect a new account.

protect new account

Select type of account that you want protect and click on Next.

In production, it is preferable to use a user group. This is to simplify the application of a strategy for the MFA.

protect new account

Click on Search for select user.

Select AD user

Enter the name of the user and click on Check Names.

select user that you need add

User has been selected, click on Next.

User has been selected

It’s possible to define a period who protected account is valid. Click on Finish without making any changes.

Create account

Protected account has been created.

Configure MFA

It’s now possible to configure MFA. Righ click on user or group then click on Properties.

Access to the properties of user

Enable Multi-factor authentification.

Enable Multi-factor authentification

It’s possible to enable MFA for All connection, Remote connection or only From outside connection.

Enable MFA

Select when the mfa is used.

Select when MFA is used

Select Server connections tab. It’s possible to enable MFA for All connection, Remote connection or only From outside connection. Select when the mfa is used.

Select MFA for server connections

Click on Apply.

Apply policy

Click on OK. MFA policy for user is now configured.

Configure user

Test MFA

Session can be opened on Workstation or server where the agent has distributed.

Open a session on a workstation

Multi-Factor Authentification setup appear .

Multi-Factor Authentification setup appear

On the smartphone (iOS/Android), download Authentificator App. I use Microsoft Authentificator but you can use an other if you want.

Open AUthentificator application

Click on + for add new account.

Add new account

Select Other (Google, Facebook, …).

Scan other account

Scan the QR code for add account.

Scan the QR code

Enter the Authentification code on Multi-facteur authentification windows and click on Verify and continue.

Account has been added
Copy authentification code

The session opens. If i reopen the session I need enter an authentification code.

Enter the code after reopen session

You can also YuniKey for open a session.

MFA events statistics

From the UserLock admin console, you can view statistics for the server, agent distribution, MFA authentification, …

Statistics of the server
Statistics of MFA

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.