Two Factor Authentication in Network Configuration Manager

Two Factor Authentication (TFA) provides an additional level of authentication and improves security by requiring the user to provide a unique time-based one time password (TOTP). The TOTP is generated through Authenticator Apps or as a one time password (OTP) sent to the user's configured Email address. TFA strengthens authentication and prevents unauthorized access.

Steps to configure TFA in Network Configuration Manager:

  1. Go to Settings - > User Management -> Two Factor Authentication.
  2. Select the "Enable Two Factor Authentication (TFA)" option.
  3. Choose the desired Authentication Mode: Authenticator Apps (TOTP via Authenticator apps including but not limited to Google Authenticator, Microsoft Authenticator, Duo etc.) or Email Authentication (OTP sent to the user's configured Email address).
    Note: Mail Server Settings need to be configured for the Email Authentication Mode.
  4. Enter the number of days you want to allow the User's browser to be trusted for. That is, the User won't be required to provide TOTP/OTP while logging in on that browser for the specified number of days. This will be applicable if the user selects the check box to trust the browser during login.
  5. Click 'Save'.
    Note: If 'Authenticator Apps' is chosen as the mode of Authentication, all users will be prompted to set up their Authenticator app during their next login.
    If Authenticator Apps is the chosen mode of Authentication:
     
  6. During next login, install and follow the steps shown on screen to configure your desired Authenticator app on your mobile device.
    Note: In the case of TOTP, the time in the configured mobile device must be in sync with the server time. Alternatively, if the mode of Authentication is chosen as 'Email' then the OTP will be sent via Email to the User's configured Email ID.
  7. Enter the OTP generated in the Authenticator app/Email to login.

Note: In the event that a new TOTP secret is required due to the loss of the mobile device configured or for any other such reason, the Admin User can go to Settings -> User Management and click on the 'Reset TOTP secret' icon under 'Actions' for the respective User.

Troubleshooting steps:

In the event that the Admin user is unable to login to the product, and if the Admin has lost the configured mobile device/is unable to retrieve the OTP from Email, then TFA can be disabled by running a BAT/SH file. To troubleshoot, follow the steps below:

Note: In the case of TOTP, the time in the configured mobile device must be in sync with the server time. Alternatively, if the mode of Authentication is chosen as 'Email' then the OTP will be sent via Email to the User's configured Email ID.

For Windows:

  1. Stop the OpManagerService.
  2. Open command prompt as Administrator, navigate to <OpManager_installed_dir/bin>.
  3. Execute the DisableTFA.bat file.
  4. Start the OpManagerService.

For Linux:

  1. Stop the OpManagerService
  2. Open terminal as a privileged user (su/sudo)
  3. Navigate to <OpManager_installed_dir/bin>.
  4. Execute the DisableTFA.sh file.
  5. Start the OpManagerService.

For any further queries, kindly reach out to ncm-support@manageengine.com.

Was this article helpful?