diff --git a/articles/multi-factor-authentication/multi-factor-authentication-get-started-adfs-adfs2.md b/articles/multi-factor-authentication/multi-factor-authentication-get-started-adfs-adfs2.md index 97d398618f4f3..a2a42cd032d75 100644 --- a/articles/multi-factor-authentication/multi-factor-authentication-get-started-adfs-adfs2.md +++ b/articles/multi-factor-authentication/multi-factor-authentication-get-started-adfs-adfs2.md @@ -5,7 +5,6 @@ services: multi-factor-authentication documentationcenter: '' author: kgremban manager: femila -editor: yossib ms.assetid: 96168849-241a-4499-a224-d829913caa7e ms.service: multi-factor-authentication @@ -13,10 +12,11 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: get-started-article -ms.date: 02/24/2017 +ms.date: 06/14/2017 ms.author: kgremban +ms.reviewer: yossib -ms.custom: H1Hack27Feb2017 +ms.custom: H1Hack27Feb2017, it-pro --- # Configure Azure Multi-Factor Authentication Server to work with AD FS 2.0 This article is for organizations that are federated with Azure Active Directory, and want to secure resources that are on-premises or in the cloud. Protect your resources by using the Azure Multi-Factor Authentication Server and configuring it to work with AD FS so that two-step verification is triggered for high-value end points. @@ -34,9 +34,9 @@ To secure AD FS 2.0 with a proxy, install the Azure Multi-Factor Authentication
![Setup](./media/multi-factor-authentication-get-started-adfs-adfs2/setup1.png)
4. To detect username, password, and domain variables automatically, enter the login URL (like https://sso.contoso.com/adfs/ls) within the Auto-Configure Form-Based Website dialog box and click **OK**. -5. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to two-step verification. If a significant number of users have not yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. +5. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to two-step verification. If a significant number of users have not yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. 6. If the page variables cannot be detected automatically, click the **Specify Manually…** button in the Auto-Configure Form-Based Website dialog box. -7. In the Add Form-Based Website dialog box, enter the URL to the AD FS login page in the Submit URL field (like https://sso.contoso.com/adfs/ls) and enter an Application name (optional). The Application name appears in Azure Multi-Factor Authentication reports and may be displayed within SMS or Mobile App authentication messages. +7. In the Add Form-Based Website dialog box, enter the URL to the AD FS login page in the Submit URL field (like https://sso.contoso.com/adfs/ls) and enter an Application name (optional). The Application name appears in Azure Multi-Factor Authentication reports and may be displayed within SMS or Mobile App authentication messages. 8. Set the Request format to **POST or GET**. 9. Enter the Username variable (ctl00$ContentPlaceHolder1$UsernameTextBox) and Password variable (ctl00$ContentPlaceHolder1$PasswordTextBox). If your form-based login page displays a domain textbox, enter the Domain variable as well. To find the names of the input boxes on the login page, go to the login page in a web browser, right-click on the page and select **View Source**. 10. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to two-step verification. If a significant number of users have not yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. @@ -48,7 +48,7 @@ To secure AD FS 2.0 with a proxy, install the Azure Multi-Factor Authentication - Select how to authenticate the primary credentials 12. Since the AD FS proxy server is not likely to be joined to the domain, you can use LDAP to connect to your domain controller for user import and pre-authentication. In the Advanced Form-Based Website dialog box, click the **Primary Authentication** tab and select **LDAP Bind** for the Pre-authentication Authentication type. -13. When complete, click **OK** to return to the Add Form-Based Website dialog box. +13. When complete, click **OK** to return to the Add Form-Based Website dialog box. 14. Click **OK** to close the dialog box. 15. Once the URL and page variables have been detected or entered, the website data displays in the Form-Based panel. 16. Click the **Native Module** tab and select the server, the website that the AD FS proxy is running under (like “Default Web Site”), or the AD FS proxy application (like “ls” under “adfs”) to enable the IIS plug-in at the desired level. @@ -90,14 +90,14 @@ You can secure AD FS when the AD FS proxy is not used. Install the Azure Multi-F 3. Click **Add**. 4. In the Add Base URL dialogue box, enter the URL for the AD FS website where HTTP authentication is performed (like https://sso.domain.com/adfs/ls/auth/integrated) into the Base URL field. Then, enter an Application name (optional). The Application name appears in Azure Multi-Factor Authentication reports and may be displayed within SMS or Mobile App authentication messages. 5. If desired, adjust the Idle timeout and Maximum session times. -6. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to two-step verification. If a significant number of users have not yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. +6. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to two-step verification. If a significant number of users have not yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. 7. Check the cookie cache box if desired.
![Setup](./media/multi-factor-authentication-get-started-adfs-adfs2/noproxy.png)
8. Click **OK**. 9. Click the **Native Module** tab and select the server, the website (like “Default Web Site”), or the AD FS application (like “ls” under “adfs”) to enable the IIS plug-in at the desired level. -10. Click the **Enable IIS authentication** box at the top of the screen. +10. Click the **Enable IIS authentication** box at the top of the screen. Azure Multi-Factor Authentication is now securing AD FS. diff --git a/articles/multi-factor-authentication/multi-factor-authentication-get-started-assign-licenses.md b/articles/multi-factor-authentication/multi-factor-authentication-get-started-assign-licenses.md index 2beb611feae93..8f0096f134df6 100644 --- a/articles/multi-factor-authentication/multi-factor-authentication-get-started-assign-licenses.md +++ b/articles/multi-factor-authentication/multi-factor-authentication-get-started-assign-licenses.md @@ -5,7 +5,6 @@ services: multi-factor-authentication documentationcenter: '' author: kgremban manager: femila -editor: yossib ms.assetid: 514ef423-8ee6-4987-8a4e-80d5dc394cf9 ms.service: multi-factor-authentication @@ -13,8 +12,11 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: get-started-article -ms.date: 02/13/2017 +ms.date: 06/13/2017 ms.author: kgremban +ms.reviewer: yossib +ms.custom: it-pro + ROBOTS: NOINDEX --- # Assigning an Azure MFA, Azure AD Premium, or Enterprise Mobility license to users @@ -37,4 +39,4 @@ If you have purchased Azure MFA, Azure AD Premium, or Enterprise Mobility Suite ## Next steps -- For more information, see [What is Microsoft Azure Active Directory licensing?](../active-directory/active-directory-licensing-what-is.md) \ No newline at end of file +- For more information, see [What is Microsoft Azure Active Directory licensing?](../active-directory/active-directory-licensing-what-is.md) diff --git a/articles/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider.md b/articles/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider.md index 5564011ddf4ac..7621db0aa16a5 100644 --- a/articles/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider.md +++ b/articles/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider.md @@ -5,7 +5,6 @@ services: multi-factor-authentication documentationcenter: '' author: kgremban manager: femila -editor: yossib ms.assetid: a7dd5030-7d40-4654-8fbd-88e53ddc1ef5 ms.service: multi-factor-authentication @@ -13,20 +12,27 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: get-started-article -ms.date: 02/24/2017 +ms.date: 06/14/2017 ms.author: kgremban - +ms.reviewer: yossib +ms.custom: it-pro --- + # Getting started with an Azure Multi-Factor Auth Provider Two-step verification is available by default for global administrators who have Azure Active Directory, and Office 365 users. However, if you wish to take advantage of [advanced features](multi-factor-authentication-whats-next.md) then you should purchase the full version of Azure Multi-Factor Authentication (MFA). -> [!NOTE] -> An Azure Multi-Factor Auth Provider is used to take advantage of features provided by the full version of Azure MFA. It is for users who **do not have licenses through Azure MFA, Azure AD Premium, or EMS**. Azure MFA, Azure AD Premium, and EMS include the full version of Azure MFA by default. If you have licenses, then you do not need an Azure Multi-Factor Auth Provider. +An Azure Multi-Factor Auth Provider is used to take advantage of features provided by the full version of Azure MFA. It is for users who **do not have licenses through Azure MFA, Azure AD Premium, or Enterprise Mobility + Security (EMS)**. Azure MFA, Azure AD Premium, and EMS include the full version of Azure MFA by default. If you have licenses, then you do not need an Azure Multi-Factor Auth Provider. An Azure Multi-Factor Auth provider is required to download the SDK. > [!IMPORTANT] -> To download the SDK, create an Azure Multi-Factor Auth Provider even if you have Azure MFA, AAD Premium, or EMS licenses. If you create an Azure Multi-Factor Auth Provider for this purpose and already have licenses, be sure to create the Provider with the **Per Enabled User** model. Then, link the Provider to the directory that contains the Azure MFA, Azure AD Premium, or EMS licenses. This configuration ensures that you are only billed if you have more unique users performing two-step verification than the number of licenses you own. +> To download the SDK, create an Azure Multi-Factor Auth Provider even if you have Azure MFA, AAD Premium, or EMS licenses. If you create an Azure Multi-Factor Auth Provider for this purpose and already have licenses, be sure to create the Provider with the **Per Enabled User** model. Then, link the Provider to the directory that contains the Azure MFA, Azure AD Premium, or EMS licenses. This configuration ensures that you are only billed if you have more unique users performing two-step verification than the number of licenses you own. + +## What is an Azure Multi-Factor Auth Provider? + +If you don't have licenses for Azure Multi-Factor Authentication, you can create an auth provider to require two-step verification for your users. If you are developing a custom app and want to enable Azure MFA, create an auth provider and [download the SDK](multi-factor-authentication-sdk.md). + +There are two types of auth providers, and the distinction is around how your Azure subscription is charged. The per-authentication option calculates the number of authentications performed against your tenant in a month. This option is best if you have a number of users authenticating only occasionally, like if you require MFA for a custom application. The per-user option calculates the number of individuals in your tenant who perform two-step verification in a month. This option is best if you have some users with licenses but need to extend MFA to more users beyond your licensing limits. ## Create a Multi-Factor Auth Provider Use the following steps to create an Azure Multi-Factor Auth Provider. @@ -53,4 +59,3 @@ Use the following steps to create an Azure Multi-Factor Auth Provider. ![Creating an MFA Provider](./media/multi-factor-authentication-get-started-auth-provider/authprovider5.png) 8. Once you click create, the Multi-Factor Authentication Provider is created and you should see a message stating: **Successfully created Multi-Factor Authentication Provider**. Click **Ok**. ![Creating an MFA Provider](./media/multi-factor-authentication-get-started-auth-provider/authprovider6.png) - diff --git a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint.md b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint.md index 1d493c5db3c90..6b5e9ccdc1e2a 100644 --- a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint.md +++ b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint.md @@ -5,7 +5,6 @@ services: multi-factor-authentication documentationcenter: '' author: kgremban manager: femila -editor: yossib ms.assetid: def7a534-cfb2-492a-9124-87fb1148ab1f ms.service: multi-factor-authentication @@ -13,9 +12,10 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: get-started-article -ms.date: 02/16/2017 +ms.date: 06/16/2017 ms.author: kgremban - +ms.reviewer: yossib +ms.custom: it-pro --- # Directory integration between Azure MFA Server and Active Directory Use the Directory Integration section of the Azure MFA Server to integrate with Active Directory or another LDAP directory. You can configure attributes to match the directory schema and set up automatic user synchronization. @@ -91,7 +91,7 @@ Attributes may be entered manually and are not required to match an attribute in | Extension |Enter the attribute name of the attribute that contains the phone number extension in a user record. The value of the extension field is used as the extension to the primary phone number only. The default is blank.

If the Extension attribute is not specified, extensions can be included as part of the phone attribute. In this case, precede the extension with an 'x' so that it gets parsed correctly. For example, 555-123-4567 x890 would result in 555-123-4567 as the phone number and 890 as the extension. | | Restore Defaults button |Click **Restore Defaults** to return all attributes back to their default value. The defaults should work properly with the normal Active Directory or ADAM schema. | -To edit attributes, click **Edit** on the Attributes tab. This brings up a window where you can edit the attributes. Select the **...** next to any attribute to open a window where you can choose which attributes to display. +To edit attributes, click **Edit** on the Attributes tab. This brings up a window where you can edit the attributes. Select the **...** next to any attribute to open a window where you can choose which attributes to display. ![Edit Attributes](./media/multi-factor-authentication-get-started-server-dirint/dirint4.png) @@ -134,4 +134,3 @@ The Move Up and Move Down buttons allow the administrator to change the order of Additional Multi-Factor Auth Servers may be set up to serve as a backup RADIUS proxy, LDAP proxy, or for IIS Authentication. The Synchronization configuration is shared among all the agents. However, only one of these agents may have the Multi-Factor Auth Server service running. This tab allows you to select the Multi-Factor Auth Server that should be enabled for synchronization. ![Multi-Factor-Auth Servers](./media/multi-factor-authentication-get-started-server-dirint/dirint6.png) - diff --git a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-iis.md b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-iis.md index 5403a6c402fca..e93a4ace529c3 100644 --- a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-iis.md +++ b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-iis.md @@ -5,7 +5,6 @@ services: multi-factor-authentication documentationcenter: '' author: kgremban manager: femila -editor: yossib ms.assetid: d1bf1c8a-2c10-4ae6-9f4b-75f0c3df43eb ms.service: multi-factor-authentication @@ -13,10 +12,10 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: get-started-article -ms.date: 02/26/2017 +ms.date: 06/16/2017 ms.author: kgremban - -ms.custom: H1Hack27Feb2017 +ms.reviewer: yossib +ms.custom: H1Hack27Feb2017,it-pro --- # Configure Azure Multi-Factor Authentication Server for IIS web apps @@ -33,17 +32,17 @@ To secure an IIS web application that uses form-based authentication, install th 4. To detect username, password and domain variables automatically, enter the Login URL (like https://localhost/contoso/auth/login.aspx) within the Auto-Configure Form-Based Website dialog box and click **OK**. 5. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users have not yet been imported into the Server and/or will be exempt from multi-factor authentication, leave the box unchecked. 6. If the page variables cannot be detected automatically, click **Specify Manually** in the Auto-Configure Form-Based Website dialog box. -7. In the Add Form-Based Website dialog box, enter the URL to the login page in the Submit URL field and enter an Application name (optional). The Application name appears in Azure Multi-Factor Authentication reports and may be displayed within SMS or Mobile App authentication messages. +7. In the Add Form-Based Website dialog box, enter the URL to the login page in the Submit URL field and enter an Application name (optional). The Application name appears in Azure Multi-Factor Authentication reports and may be displayed within SMS or Mobile App authentication messages. 8. Select the correct Request format. This is set to **POST or GET** for most web applications. 9. Enter the Username variable, Password variable, and Domain variable (if it appears on the login page). To find the names of the input boxes, navigate to the login page in a web browser, right-click on the page, and select **View Source**. -10. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users have not yet been imported into the Server and/or will be exempt from multi-factor authentication, leave the box unchecked. +10. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users have not yet been imported into the Server and/or will be exempt from multi-factor authentication, leave the box unchecked. 11. Click **Advanced** to review advanced settings, including: - Select a custom denial page file - Cache successful authentications to the website for a period of time using cookies - Select whether to authenticate the primary credentials against a Windows Domain, LDAP directory. or RADIUS server. -12. Click **OK** to return to the Add Form-Based Website dialog box. +12. Click **OK** to return to the Add Form-Based Website dialog box. 13. Click **OK**. 14. Once the URL and page variables have been detected or entered, the website data displays in the Form-Based panel. @@ -51,11 +50,11 @@ To secure an IIS web application that uses form-based authentication, install th To secure an IIS web application that uses Integrated Windows HTTP authentication, install the Azure MFA Server on the IIS web server, then configure the Server with the following steps: 1. In the Azure Multi-Factor Authentication Server, click the IIS Authentication icon in the left menu. -2. Click the **HTTP** tab. +2. Click the **HTTP** tab. 3. Click **Add**. 4. In the Add Base URL dialogue box, enter the URL for the website where HTTP authentication is performed (like http://localhost/owa) and provide an Application name (optional). The Application name appears in Azure Multi-Factor Authentication reports and may be displayed within SMS or Mobile App authentication messages. 5. Adjust the Idle timeout and Maximum session times if the default is not sufficient. -6. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users have not yet been imported into the Server and/or will be exempt from multi-factor authentication, leave the box unchecked. +6. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users have not yet been imported into the Server and/or will be exempt from multi-factor authentication, leave the box unchecked. 7. Check the **Cookie cache** box if desired. 8. Click **OK**. @@ -73,4 +72,3 @@ The Trusted IPs allows users to bypass Azure Multi-Factor Authentication for web 2. Click **Add**. 3. When the Add Trusted IPs dialog box appears, select the **Single IP**, **IP range**, or **Subnet** radio button. 4. Enter the IP address, range of IP addresses or subnet that should be whitelisted. If entering a subnet, select the appropriate Netmask and click **OK**. The whitelist has now been added. - diff --git a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-radius.md b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-radius.md index be09bb9dc5498..a7cd0f80dbd24 100644 --- a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-radius.md +++ b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-radius.md @@ -5,7 +5,6 @@ services: multi-factor-authentication documentationcenter: '' author: kgremban manager: femila -editor: yossib ms.assetid: f4ba0fb2-2be9-477e-9bea-04c7340c8bce ms.service: multi-factor-authentication @@ -15,15 +14,15 @@ ms.devlang: na ms.topic: get-started-article ms.date: 02/26/2017 ms.author: kgremban - -ms.custom: H1Hack27Feb2017 +ms.reviewer: yossib +ms.custom: H1Hack27Feb2017, it-pro --- # Integrate RADIUS authentication with Azure Multi-Factor Authentication Server Use the RADIUS Authentication section of Azure MFA Server to enable and configure RADIUS authentication. RADIUS is a standard protocol to accept authentication requests and to process those requests. The Azure Multi-Factor Authentication Server acts as a RADIUS server. Insert it between your RADIUS client (VPN appliance) and your authentication target, which could be Active Directory (AD), an LDAP directory, or another RADIUS server to add Azure Multi-Factor Authentication. For Azure Multi-Factor Authentication (MFA) to function, you must configure the Azure MFA Server so that it can communicate with both the client servers and the authentication target. The Azure MFA Server accepts requests from a RADIUS client, validates credentials against the authentication target, adds Azure Multi-Factor Authentication, and sends a response back to the RADIUS client. The authentication request only succeeds if both the primary authentication and the Azure Multi-Factor Authentication succeed. > [!NOTE] > The MFA Server only supports PAP (password authentication protocol) and MSCHAPv2 (Microsoft's Challenge-Handshake Authentication Protocol) RADIUS protocols when acting as a RADIUS server. Other protocols, like EAP (extensible authentication protocol), can be used when the MFA server acts as a RADIUS proxy to another RADIUS server that supports that protocol. -> +> > In this configuration, one-way SMS and OATH tokens don't work since the MFA Server can't initiate a successful RADIUS Challenge response using alternative protocols. ![Radius Authentication](./media/multi-factor-authentication-get-started-server-rdg/radius.png) @@ -35,13 +34,13 @@ To configure RADIUS authentication, install the Azure Multi-Factor Authenticatio 2. Check the **Enable RADIUS authentication** checkbox. 3. On the Clients tab, change the Authentication and Accounting ports if the Azure MFA RADIUS service needs to listen for RADIUS requests on non-standard ports. 4. Click **Add**. -5. Enter the IP address of the appliance/server that will authenticate to the Azure Multi-Factor Authentication Server, an application name (optional), and a shared secret. +5. Enter the IP address of the appliance/server that will authenticate to the Azure Multi-Factor Authentication Server, an application name (optional), and a shared secret. The application name appears in Azure Multi-Factor Authentication reports and may be displayed within SMS or Mobile App authentication messages. - The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and appliance/server. + The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and appliance/server. -6. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users have not yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. +6. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users have not yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. 7. Check the **Enable fallback OATH token** box if you want to use OATH passcodes from mobile verification apps as a fallback to the out-of-band phone call, SMS, or push notification. 8. Click **OK**. @@ -51,20 +50,20 @@ Repeat steps 4 through 8 to add as many additional RADIUS clients as you need. 1. Click the **Target** tab. 2. If the Azure MFA Server is installed on a domain-joined server in an Active Directory environment, select Windows domain. -3. If users should be authenticated against an LDAP directory, select **LDAP bind**. +3. If users should be authenticated against an LDAP directory, select **LDAP bind**. To use LDAP bind, click the Directory Integration icon and edit the LDAP configuration on the Settings tab so that the Server can bind to your directory. Instructions for configuring LDAP can be found in the [LDAP Proxy configuration guide](multi-factor-authentication-get-started-server-ldap.md). 4. If users should be authenticated against another RADIUS server, select RADIUS server(s). 5. Click **Add** to configure the server to which the Azure MFA Server will proxy the RADIUS requests. -6. In the Add RADIUS Server dialog box, enter the IP address of the RADIUS server and a shared secret. +6. In the Add RADIUS Server dialog box, enter the IP address of the RADIUS server and a shared secret. The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and RADIUS server. Change the Authentication port and Accounting port if different ports are used by the RADIUS server. 7. Click **OK**. 8. Add the Azure MFA Server as a RADIUS client in the other RADIUS server so that it can process access requests sent to it from the Azure MFA Server. Use the same shared secret configured in the Azure Multi-Factor Authentication Server. -Repeat these steps to add more RADIUS servers and configure the order in which the Azure MFA Server should call them with the **Move Up** and **Move Down** buttons. +Repeat these steps to add more RADIUS servers and configure the order in which the Azure MFA Server should call them with the **Move Up** and **Move Down** buttons. This completes the Azure Multi-Factor Authentication Server configuration. The Server is now listening on the configured ports for RADIUS access requests from the configured clients. @@ -74,4 +73,3 @@ To configure the RADIUS client, use the guidelines: * Configure your appliance/server to authenticate via RADIUS to the Azure Multi-Factor Authentication Server’s IP address, which will act as the RADIUS server. * Use the same shared secret that was configured earlier. * Configure the RADIUS timeout to 30-60 seconds so that there is time to validate the user’s credentials, perform two-step verification, receive their response, and then respond to the RADIUS access request. - diff --git a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice.md b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice.md index 94d344be89d36..2652a23eb9f55 100644 --- a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice.md +++ b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice.md @@ -5,7 +5,6 @@ services: multi-factor-authentication documentationcenter: '' author: kgremban manager: femila -editor: yossib ms.assetid: 6c8d6fcc-70f4-4da4-9610-c76d66635b8b ms.service: multi-factor-authentication @@ -13,16 +12,16 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: get-started-article -ms.date: 02/25/2017 +ms.date: 06/15/2017 ms.author: kgremban - -ms.custom: H1Hack27Feb2017 +ms.reviewer: yossib +ms.custom: H1Hack27Feb2017,it-pro --- # Enable mobile app authentication with Azure Multi-Factor Authentication Server -The Microsoft Authenticator app offers an additional out-of-band verification option. Instead of placing an automated phone call or SMS to the user during login, Azure Multi-Factor Authentication pushes a notification to the Microsoft Authenticator app on the user’s smartphone or tablet. The user simply taps **Verify** (or enters a PIN and taps “Authenticate”) in the app to complete their sign-in. +The Microsoft Authenticator app offers an additional out-of-band verification option. Instead of placing an automated phone call or SMS to the user during login, Azure Multi-Factor Authentication pushes a notification to the Microsoft Authenticator app on the user’s smartphone or tablet. The user simply taps **Verify** (or enters a PIN and taps “Authenticate”) in the app to complete their sign-in. -Using a mobile app for two-step verification is preferred when phone reception is unreliable. If you use the app as an OATH token generator, it doesn't require any network or internet connection. +Using a mobile app for two-step verification is preferred when phone reception is unreliable. If you use the app as an OATH token generator, it doesn't require any network or internet connection. Installing the user portal on a server other than the Azure Multi-Factor Authentication Server requires the following steps: @@ -48,10 +47,10 @@ To use the Microsoft Authenticator app, the following are required so that the a ## Install the web service SDK -If the Azure Multi-Factor Authentication Web Service SDK is not already installed on the Azure Multi-Factor Authentication (MFA) Server, go to that server and open the Azure MFA Server. +If the Azure Multi-Factor Authentication Web Service SDK is not already installed on the Azure Multi-Factor Authentication (MFA) Server, go to that server and open the Azure MFA Server. 1. Click the Web Service SDK icon. -2. Click **Install Web Service SDK** and follow the instructions presented. +2. Click **Install Web Service SDK** and follow the instructions presented. The Web Service SDK must be secured with an SSL certificate. A self-signed certificate is okay for this purpose. Import the certificate into the “Trusted Root Certification Authorities” store of the Local Computer account on the User Portal web server so that it will trust that certificate when initiating the SSL connection. @@ -62,7 +61,7 @@ Before installing the mobile app web service, be aware of the following details: * If the Azure MFA User Portal is already installed on the Internet-facing server, the username, password, and URL to the Web Service SDK can be copied from the User Portal’s web.config file. * It is helpful to open a web browser on the Internet-facing web server and navigate to the URL of the Web Service SDK that was entered into the web.config file. If the browser can get to the web service successfully, it should prompt you for credentials. Enter the username and password that were entered into the web.config file exactly as it appears in the file. Ensure that no certificate warnings or errors are displayed. -* If a reverse proxy or firewall is sitting in front of the Mobile App Web Service web server and performing SSL offloading, you can edit the Mobile App Web Service web.config file so that the Mobile App Web Service can use http instead of https. SSL is still required from the Mobile App to the firewall/reverse proxy. Add the following key to the \ section: +* If a reverse proxy or firewall is sitting in front of the Mobile App Web Service web server and performing SSL offloading, you can edit the Mobile App Web Service web.config file so that the Mobile App Web Service can use http instead of https. SSL is still required from the Mobile App to the firewall/reverse proxy. Add the following key to the \ section: @@ -76,11 +75,11 @@ Before installing the mobile app web service, be aware of the following details: A short virtual directory name is recommended since users must enter the Mobile App Web Service URL into the mobile device during activation. -4. After finishing the install of the Azure Multi-Factor AuthenticationMobileAppWebServiceSetup, browse to C:\inetpub\wwwroot\PA (or appropriate directory based on the virtual directory name) and edit the web.config file. +4. After finishing the install of the Azure Multi-Factor AuthenticationMobileAppWebServiceSetup, browse to C:\inetpub\wwwroot\PA (or appropriate directory based on the virtual directory name) and edit the web.config file. 5. Locate the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME and WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD keys. Set the values to the username and password of the service account that is a member of the PhoneFactor Admins security group. This may be the same account being used as the Identity of the Azure Multi-Factor Authentication User Portal if that has been previously installed. Be sure to enter the Username and Password in between the quotation marks at the end of the line, (value=””/>). Use a qualified username like domain\username or machine\username. -6. Locate the pfMobile App Web Service_pfwssdk_PfWsSdk setting. Change the value from *http://localhost:4898/PfWsSdk.asmx* to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (like https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). +6. Locate the pfMobile App Web Service_pfwssdk_PfWsSdk setting. Change the value from *http://localhost:4898/PfWsSdk.asmx* to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (like https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, you must reference the Web Service SDK by server name and not IP address. The SSL certificate would have been issued for the server name and the URL used must match the name on the certificate. The server name may not resolve to an IP address from the Internet-facing server. If this is the case, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the web.config file after changes have been made. diff --git a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-windows.md b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-windows.md index 315c1c3590fe7..62d63751364d2 100644 --- a/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-windows.md +++ b/articles/multi-factor-authentication/multi-factor-authentication-get-started-server-windows.md @@ -5,7 +5,6 @@ services: multi-factor-authentication documentationcenter: '' author: kgremban manager: femila -editor: yossib ms.assetid: 19a4043f-c4ce-43c0-80e7-2548ee92cb74 ms.service: multi-factor-authentication @@ -13,9 +12,10 @@ ms.workload: identity ms.tgt_pltfrm: na ms.devlang: na ms.topic: get-started-article -ms.date: 02/06/2017 +ms.date: 06/06/2017 ms.author: kgremban - +ms.reviewer: yossib +ms.custom: it-pro --- # Windows Authentication and Azure Multi-Factor Authentication Server Use the Windows Authentication section of the Azure Multi-Factor Authentication Server to enable and configure Windows authentication for applications. Before you set up Windows Authentication, keep the following list in mind: