Table of Contents
Setup Azure MFA user portal for self serviceÃ‚Â is the next step, after setting up Azure MFA Server. Using the user portal, users can enroll and maintain their account.Ã‚Â They will demand less support from your support team or admins. User will be able to change their PIN, change security questions, change phone number, enroll for the app, choose authentication methods, etc. The user portal runs on Internet Information Services (IIS), it’s a website.
Deliverables of this post:
- Setup Azure MFA User Portal.
Requirements for the configuration:
- Windows 2016 Server running IIS and MFA Server.
- Azure subscription.
- Valid SSL certificate.
- Active Directory for user authentication.
- A hostname for the MFA Server, in my case https://mfa.vikash.nl. This must match your SSL certificate.
MFA User Portal has a lot of options and features. In this blog I will only show a few. Check your requirements and enable features accordingly. In my homelab I have MFA Server and the User Portal running on the same Windows Server.
Setup IIS for MFA User Portal
I will start by configuring IIS to make sure that deploying the user portal goes smooth later on.
StartÃ‚Â IIS Manager, click onÃ‚Â Application Pools and select theÃ‚Â DefaultPool. Then click onÃ‚Â Basic Settings in the right column.
Change theÃ‚Â .NET CLR version toÃ‚Â v2.0.50727. Then selectÃ‚Â Classic inÃ‚Â Managed pipeline mode. Click onÃ‚Â OK.
Now selectÃ‚Â Default Web Site and selectÃ‚Â Bindings in the right column.
Click onÃ‚Â Add.
SelectÃ‚Â https and then your SSL certificate for the website. Make sure that this is the certificate with the correct DNS hostname for your MFA Server. Click then onÃ‚Â OK.
Check then the binding is correct and click onÃ‚Â Close.
Install Web Service SDK
Now go back to your MFA Server interface and selectÃ‚Â Web Service SDK.Ã‚Â Then click onÃ‚Â Install Web Service SDK.
Click onÃ‚Â Next.
Click again onÃ‚Â Next to continue.
Keep the defaults and click on Next.
After the installation finishes, click onÃ‚Â Close.
Start IIS manager andÃ‚Â selectÃ‚Â MultiFactorAuthWebServiceSdk and click onÃ‚Â Authentication.
DisableÃ‚Â Anonymous Authentication.
Setup and configure the User Portal
Now it is time to install and configure the user portal. Go to theÃ‚Â User Portal and select the options you want to enable for your users. Then click onÃ‚Â Install User Portal.
Select the defaults and click onÃ‚Â Next.
After installation finishes click onÃ‚Â Close.
Let’s test if this is working. Open a browser and go to https://<ExternalFQDN>/MultiFactorAuth/. In my case this is https://mfa.vikash.nl/MultiFactorAuth. You should see the MFA User Portal Log In page.
Setup and configure the Mobile Portal
The interface doesn’t have a option to install the Mobile Portal. We need to locate the installer in the folderÃ‚Â C:\Program Files\Multi-Factor Authentication Server. Select the fileÃ‚Â MultiFactorAuthenticationMobileAppWebServiceSetup64.msi.Ã‚Â
Start the installer and accept the defaults. Click onÃ‚Â Next.
After the installer finishes, click onÃ‚Â Close.
Now we have to make sure that the MFA Server knows what theÃ‚Â Mobile App Web Service URL is. Go toÃ‚Â Mobile App and enter the URL:Ã‚Â https://<ExternalFQDN>/MultiFactorAuthMobileAppWebService. In my case this isÃ‚Â https://mfa.vikash.nl/MultiFactorAuthMobileAppWebService. TheÃ‚Â Account name can be anything you like.
Configure Service Account
The User Portal installer creates an Active Directory group. The name is:Ã‚Â PhoneFactor Admins. Let’s create an account and use is as an service account.
OpenÃ‚Â Server Manager. Click onÃ‚Â Tools and thenÃ‚Â Active Directory Administrative Center.
I have a specific containerÃ‚Â Service Accounts. Select the container where you want to create your serviceÃ‚Â account and then click onÃ‚Â New -> UserÃ‚Â in the right column.
Enter the details according to your requirements. Make sure to set theÃ‚Â Password options toÃ‚Â Never expires. Then click onÃ‚Â Member Of.
Click onÃ‚Â Add.
Find theÃ‚Â PhoneFactor Admins group and click onÃ‚Â OK.
Then click onÃ‚Â OK.
Configure Service Account forÃ‚Â Application Pool
Next step is to configure the different components of Azure MFA User Portal to use the service account we just created.
Go to IIS manager, selectÃ‚Â Application Pools then click onÃ‚Â MultifactorAuthWebServiceSdk application pool. Then click onÃ‚Â Advanced Settings in the right column.
UnderÃ‚Â Process Model selectÃ‚Â Identity. Click on the button with the 3 dots.
SelectÃ‚Â Custom account and click onÃ‚Â Set.
Enter the credentials of the service account you created and click onÃ‚Â OK.
Make sure the service account is selected and click onÃ‚Â OK.
Make sure the service account is selected now and click onÃ‚Â OK.
Configure Service Account for Mobile Portal
Now we have to configure the Mobile Portal to use the service account. This has to be done in the config file.
Run Notepad as Administrator. Open the web.config fileÃ‚Â located inÃ‚Â C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService.
Locate the sectionÃ‚Â appSettingsÃ‚Â section. Change the value ofÃ‚Â WEB_SERVICE_SDK_AUTHENTICATION_USERNAMEÃ‚Â andÃ‚Â WEB_SERVICE_SDK_AUTHENTICATION_PASSWORDÃ‚Â to match the information of your service account.
And as long we are here in this file locate the sectionÃ‚Â applicationSettings. Change the value there to match youÃ‚Â ExternalFQDN. In my case that isÃ‚Â https://mfa.vikash.nl/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx. Then save the config file.
Do some testing
Now we can do some testing and see of the service account is fine for the Mobile Portal. Open a browser on your MFA Server and navigate toÃ‚Â https://localhost/MultiFactorAuthMobileAppWebService. Click onÃ‚Â Continue if you get the certificate error. Then click onÃ‚Â TestPfWsSdkConnection.
Click onÃ‚Â Invoke to start the test.
You should see theÃ‚Â Success value if everything is correct.
Go back toÃ‚Â https://localhost/MultiFactorAuthMobileAppWebService. Click onÃ‚Â Continue if you get the certificate error. Then click onÃ‚Â TestSecurity.
Click onÃ‚Â Invoke to start the test.
If everything is fine it should return te valueÃ‚Â secure.
Configure Service Account for User Portal
Now we have to configure the UserÃ‚Â Portal to use the service account. This has to be done in the config file.
Run Notepad as Administrator. Open the Web.Config fileÃ‚Â located in C:\inetpub\wwwroot\MultiFactorAuth.
Locate the sectionÃ‚Â appSettings section. Change the value of USE_WEB_SERVICE_SDK to true.Then change the value ofÃ‚Â WEB_SERVICE_SDK_AUTHENTICATION_USERNAMEÃ‚Â andÃ‚Â WEB_SERVICE_SDK_AUTHENTICATION_PASSWORDÃ‚Â to match the information of your service account.
Then scroll down and locate the sectionÃ‚Â applicationSettings. Change the value there to match yourÃ‚Â ExternalFQDN. In my case this isÃ‚Â https://mfa.vikash.nl/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx.
Test MFA User Portal
After setting everything up it is now time to test the whole setup. Open a browser and navigate to your MFA User Portal. Remember to access it on theÃ‚Â ExternalFQDN. In my case that isÃ‚Â https://mfa.vikash.nl/MultiFactorAuth/. Enter the username and password for a user which is enabled for MFA. The click onÃ‚Â Log In.
Azure MFA will call the user. Answer it.
Then click on the #Ã‚Â key to accept the authentication request.
Now you can activate the mobile app with the correct information. Click onÃ‚Â Activate Mobile App and then click onÃ‚Â Generate Activation Code
You will now be presented with the activation page and the correct URL to activate the mobile app.
This concludes this blog post. Feel free to contact me of you have any questions or comments.
You can follow me on twitter or add the RSSÃ‚Â feed from myÃ‚Â blog and you will be notified when I add new posts.