Two Factor Authentication

With two-factor authentication (2FA), you can add an extra layer of security to ADManager Plus. When users try to access the ADManager Plus interface, they will not be allowed to proceed until 2FA is completed. ADManager Plus' built-in admin is the only user with the option to skip 2FA. ADManager Plus provides options to perform 2FA through authentication services such as Duo Security, Google Authenticator, one time password via email, and more.

Steps to configure 2FA in ADManager Plus:

1. Navigate to the Delegation tab.
2. In the left pane, under Configuration, click Logon Settings.
3. In the Logon Settings page, navigate to the Two Factor Authentication tab.
4. Toggle the Two Factor Authentication button on to enable 2FA.
5. Select the desired 2FA from the following authentication services:
   • Duo Security
     • Create a Duo Security account and add ADManger Plus as an application by following the steps listed on this page,
     • Log in to your Duo Security account, and navigate to the Applications section.
     • Click the Protect an Application option.
     • Search for Web SDK and click Protect this Application.
     • Copy the Integration Key, Secret Key, and API Hostname.
     • Go to the ADManager Plus console and expand Duo Security.
     • Check Enable Duo Security and paste the copied Integration Key, Secret Key, and API Hostname in the respective fields.
     • Configure the Username Pattern and click Save.
   • Google Authenticator
     • Install and set up Google Authenticator on your smartphone by following the steps listed on this page.
     • Switch to ADManager Plus and expand Google Authenticator.
     • Click the Enable Google Authenticator button.
     • While logging in to ADManager Plus, enter the code generated by the Google Authenticator app in your smartphone, in addition to your username and password.
   • One time password via email

     The Email Server settings have to be configured to use One Time Password (OTP) via email as the 2FA method.

     • Expand One time password via email and check the One time password via email option.
     • Enter a subject and draft a message using Macros in the Subject and Message fields, respectively.
     • Click Save.
   • RSA Authenticator

     RSA SecurID is a mechanism developed by the RSA, the Security Division of EMC, for performing 2FA for a user attempting to access a network resource. Users can use the security codes generated by the RSA SecurID mobile app, a hardware token, or a token sent to their email or mobile device to log in to ADManager Plus.

     • Log in to your RSA admin console (e.g., https://RSA machinename.domain DNS name/sc).
     • Go to the Access tab.
     • Under Authentication Agents, click Add New.
     • Add ADManager Plus Server as an Authentication Agent and click Save.
     • Navigate back to the Access tab. Under Authentication Agents, click Generate Configuration File.
     • Download the AM_Config.zip file.
     • Copy the Authentication Manager configuration file, sdconf.rec from the zip and paste it in <-installation-dir>/bin. If there is a file named securid (node secret file), copy and paste it, too.
     Note:

     • Ensure that the below mentioned JAR files are extracted from RSA SecurID and placed in the <ADManagerPlus_install_directory>/lib folder:
       • authapi.jar
       • Log4j.jar
       • certj.jar
       • commons-logging.jar
       • cyrptojce.jar
       • cryptojcommon.jar
       • jcmFIPS.jar
       • sslj.jar
       • xmlsec.jar
     • Restart ADManager Plus after adding the files.
   • Microsoft Authenticator
     • Install and set up Microsoft Authenticator on your smartphone.
     • Navigate to ADManager Plus and expand Microsoft Authenticator.
     • Check the Enable Microsoft Authenticator option
     • While logging in to ADManager Plus, enter the code generated by the Microsoft Authenticator app in your smartphone, in addition to your username and password.
   • SMS verification

     To enable SMS verification as an authentication method, configure SMS gateway settings in ADManager Plus and follow these steps:

     • Expand SMS Verification and check Enable SMS Verification.
     • In the Message field, enter the SMS content using macros and click Save.

     Steps to enroll your phone number

     • Log in to ADManager Plus using your account credentials.
     • In the Log in using SMS Verification page that opens up, enter your phone number and click Send Code.
     • Enter the six-digit secret code you received via SMS in the field. If needed, enable the Trust this browser option to skip this step for the next 180 days.
     • Click Verify code to verify.
6. To manage the 2FA-enrolled users, click the Enrolled Users button. The list of 2FA-enrolled users is displayed. If needed, you can remove the configured 2FA and allow the user to reconfigure the settings.
7. Click More options to configure the following:
   • Check the Enable the "Trust this browser" option during authentication to trust the browser and let the authenticated help desk technicians into ADManager Plus without asking for 2FA for the time period specified in the Trust this browser for __ days field.
   • Check Skip 2FA for the selected technicians and select the technicians from the pop-up window to allow the selected technicians to skip 2FA while logging in to ADManager Plus.

To personalize your preferred 2FA method

To choose your preferred authentication method, or to use an authentication service different from the one you are currently using, perform the following steps.

1. Navigate to the My Account option at the top-right corner.
2. In the left pane, click the Manage my TFA settings option.
3. Click the Edit button and choose your preferred authentication method from the options available.
4. To set Google Authenticator or Microsoft Authenticator as your preferred method, scan the QR code displayed on the screen and enter the code generated by the app in your smartphone.
5. Click the Verify button.