Implement MFA
UserLock offers many solutions. In this post, we will see how to manage two-factor authentication using UserLock. You can now protect your Active Directory session.
Prerequisites
A lot of prerequisites must be respected. You can use this link for see all prerequisites.
Install UserLock
You can install UserLock on member server. It’s better to not install on your Domain Controller Active Directory. UserLock not modify your Active Directory domain or Active Directory Schema.
Download the setup file here.
After creating the account, you can download the file.
Run the previously downloaded file. A wizard appear, select the language and click on OK.
Click on Next on the welcome windows.
Check I accept the terms in the licence agreement and click on Next.
Leave the default value on the Setup type windows and click on Next.
Click on Install then on Finish. A new wizard appear, click on Next.
It’s my first server, check Primary Server and click on Next.
Select Organizational Unit or domain that you want manage with UserLock. You can uncheck object that you don’t want manage.
Enter credential for Userlock service impersonation account and click on Next.
Click on Finish for run the UserLock administration console.
Install UserLock agent
From the UserLock administration console, click on Agent distribution then select the desired computer. Click on Install to launch installation of the agent. You can install automatically agents with Install Automatically agents button.
The result appear in the console.
Process running on my server who agent has been installed.
I repeat the same step on my workstation (Windows 10 2004)
Add protected account
From the UserLock administration console, click on Protected account then on Protect a new account.
Select type of account that you want protect and click on Next.
In production, it is preferable to use a user group. This is to simplify the application of a strategy for the MFA.
Click on Search for select user.
Enter the name of the user and click on Check Names.
User has been selected, click on Next.
It’s possible to define a period who protected account is valid. Click on Finish without making any changes.
Protected account has been created.
Configure MFA
It’s now possible to configure MFA. Righ click on user or group then click on Properties.
Enable Multi-factor authentification.
It’s possible to enable MFA for All connection, Remote connection or only From outside connection.
Select when the mfa is used.
Select Server connections tab. It’s possible to enable MFA for All connection, Remote connection or only From outside connection. Select when the mfa is used.
Click on Apply.
Click on OK. MFA policy for user is now configured.
Test MFA
Session can be opened on Workstation or server where the agent has distributed.
Multi-Factor Authentification setup appear .
On the smartphone (iOS/Android), download Authentificator App. I use Microsoft Authentificator but you can use an other if you want.
Click on + for add new account.
Select Other (Google, Facebook, …).
Scan the QR code for add account.
Enter the Authentification code on Multi-facteur authentification windows and click on Verify and continue.
The session opens. If i reopen the session I need enter an authentification code.
You can also YuniKey for open a session.
MFA events statistics
From the UserLock admin console, you can view statistics for the server, agent distribution, MFA authentification, …