Azure Multi-Factor Authenticaion on premise – Tricks updated may 2017

I want to share with you some of the tips and tricks when deploying the Azure MFA on premise. These tips are from my own personal experience of dealing with Azure MFA services.

Tip : SMS Notification – One Way or Two Way

If you are using SMS notification option, then you would notice that a one time password is sent to your phone as an SMS, and you have to reply with another message (this mode is called Two-Way SMS Notification). My comments here are :

  • Extra charges, because the person doing the multi-factor authentication needs to send a message back with the OTP.
  • It is better if you can type the OTP to the browser itself if possible, instead of replying to the SMS.

Although replying with another SMS is completely out of band and more secure option, some may argue that it would better if the OTP could be sent via SMS and then being typed to the application itself (this is called One-Way SMS Notification)

On the MFA on premise server console, the option to choose One-Way  SMS notification is grayed out. You can only choose the Two-Way !

SMS Azure

After searching alot on the web to find a way to activate the One-Way SMS notification, I realized that this is only possible via the Azure Multi-Factor Authentication SDK. The SDK exposes the option of One-Way SMS as seen below:

OTP Azure

This means if you have developed a logon page, you can use the SDK and use the MODE_SMS_ONE_WAY_OTP option there. But what if you want to use the One-Way SMS notification option to secure a VPN connection. You simply cannot because the VPN endpoint will most probably may not support code to be injected to its logon functionality where you can use the SDK.

Update : On Microsoft Technet Forum, asking about Two-Way SMS, and getting this answer:“MFA Server v6.2.2 and older doesn’t have one-way SMS capability. It is being added to v6.3 which is expected to release in Jan 2015. The one-way SMS will work with the ADFS Adapter, RADIUS and the User Portal. In order to work successfully with RADIUS, the system sending the ACCESS request will need to be able to handle an ACCESS CHALLENGE response so that the user can be prompted for the OTP.”

Update: The new version of MFA v6.3 supports SMS_ONE_WAY_OTP as per https://social.msdn.microsoft.com/Forums/en-US/b20d9859-b27e-4918-a370-db79fa7612cc/one-way-sms-otp-in-azure-mfa-server?forum=windowsazureactiveauthentication

Tip: How to use the OTP that is generated from the Azure MFA mobile app

The Azure Multi-Factor mobile app servers two things:

  • Push notification: where you receive a push notification and you can click (Verify), (Cancel), or (Cancel and report fraud).
  • Offline OTP (one time password) that is changed every couple of seconds.

So the question is how to use the offline OTP? I have implemented a solution where I could use the offline OTP. To do this, the user should be configured with OATH Token as shown in the below figure.

oath

I am using Citrix NetScaler as a VPN gateway and i have configured it as RAIUS client and I pointed it to the on premise MFA server as the RADIUS server.

Now when connecting to the Citrix VPN gateway, I am prompted with the user name and password:

NetscalerMFA

After that, I am prompted to enter the OTP:

NetscalerMFA2

I then will open the Azure MFA mobile app, and I enter the OTP that is generated for me offline and keep changing with time:

AzureMobileApp2

Tip: using MFA with Microsoft RRAS as a VPN solution

I used Windows 2012 R2 as my RRAS server to configure a two factor authentication for VPN client. I will be using SSTP as my protocol.

The following configuration are made to NPS:

Configuring the Connection Request Policy to point to the MFA on premise server as the RADIUS server

RRAS_MFA3

Configuring the Network Policy with PAP as the authentication method. Do not be afraid because we are using SSTP (HTTPS) as the VPN tunnel method, so the credentials will be sent over HTTPS.

MFA_RRAS4

Now on RRAS console, configure the authentication method as PAP, and configure a certificate for SSTP:

MFA_RRAS

Finally, to enforce SSTP as the only tunneling protocol, go to Ports node, right click and click Properties, and configure the number of ports as shown below [for all ports except SSTP and PPTP, configure zero ports, and one port for PPTP]

mfa_rras2

Now when a Windows client tries to connect to my RRAS, it should be configured with PAP as the authentication method:

RRAS_MFA_5

When you connect, the PAP credentials will be secured via the SSL tunnel, and then the MFA server will encrypt the credentials before sending them to the one premise MFA server as shown in my trace:

RADIUS Message2

The only thing you should worry about is that the Microsoft VPN client on Windows client will time out quickly before the two factor authentication finishes, a registry hack on the client may solve this issue to extend the time out:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP:MaxConifgure=10

Change this to 60 for example.

Also be sure to change RADIUS timeouts in RRAS to at least 30-45 seconds or you’ll beget an error.

See Also