Two Factor Authentication

    With the Two Factor Authentication service, you can add an extra layer of security to your account, in addition to your username and password. When you try to access the ADManager Plus interface, you will not be allowed to proceed until Two Factor Authentication is completed (admins alone have the option to skip authentication via TFA). ADManager Plus provides options to perform TFA through authentication services such as Duo Security, Google Authenticator, or one time password via email.

    Steps to configure Two Factor Authentication:

    1. Go to the AD Delegation tab.
    2. Click the Two Factor Authentication link under Configuration in the left navigation section.
    3. Enable Two Factor Authentication using the button near Two Factor Authentication is.
    4. Select the authentication service required for TFA from the following 3 options.

      5. Duo Security:

      • Add ADManager Plus under Applications in your Duo Security account.
      • To set up inline self enrollment, follow these steps.
      • The credentials to enable TFA using Duo Security can be found by clicking the application name in the Applications tab of Duo.
      • Enter the integration key, secret key, and API host name displayed in Duo Security in ADManager Plus.
      • Click the Save button.

      Google Authenticator:

      • Select the Enable Google Authenticator button.
      • Click the Save button.
      • During logging in, enter the code generated by the Google Authenticator app in your smartphone, in addition to your username and password.
      • Click here for more details.

      One time password via email:

      In order to receive emails about the One Time Password (OTP), you need to configure mail server settings by performing the following steps.

      • Go to the Admin tab.
      • Click the Server link under General Settings.
      • Under Mail Settings, specify the name and port of the mail server.
      • Click the Advanced link in order to specify the username and password for mail server access.
      • Enter the Admin Mail Address and test working by clicking the Send Test Mail link.
      • Click the Save Changes button.
      • Under one time password via email, enter the subject of the OTP email.
      • Enter the content of the email using Macros where needed.
      • Click the Save button.

      RSA Authenticator:  

      RSA SecurID, formerly referred to as SecurID, is a mechanism developed by Security Dynamics (later RSA Security and now RSA, The Security Division of EMC) for performing two-factor authentication for a user to a network resource. Users can use the security codes generated by the RSA SecurID mobile app or Hardware tokens or tokens received in their mail or mobile to log in to ADManager Plus.

      Steps to Integrate RSA SecurId with ADManager Plus:

      • Log in to your RSA admin console (e.g., https://RSA machinename.domain DNS name/sc).
      • Go to Access, Authentication Agents, click Add New.
      • Add ADManager Plus Server as an Authentication agent and click Save.
      • Go to Access, Authentication Agents, click Generate Configuration File.
      • Download AM_Config.zip (Authentication Manager config).
      • Extract sdconf.rec from the zip to <-installation-dir>/bin. If there is a file named securid (node secret file ), copy it too.

        • That's it ! You are now ready to use RSA SecurId with ADManager Plus.

      Troubleshooting: Log in to your RSA admin console and go to Reporting tab. Under Real time Activity Monitors, click Authentication Activity Monitor. Now click Start Monitor.

    5.  Manage the users who have been successfully authenticated using TFA by clicking the Manage Authenticated Users button. The list of TFA configured users is displayed. If needed, you can remove the configured TFA and allow the user to reconfigure the settings.

    To personalize your preferred authentication method:

    In order to choose your preferred authentication method, or to use an authentication service different from the one you are currently using, perform the following steps.

    • Go to the My Account link at the top left corner.
    • Select the Manage my TFA settings option.
    • Click the Edit button.
    • Choose your preferred authentication method from the options available.
    • In the case of having the Google Authenticator service as your preferred method, the next dialog box prompts you to scan the QR code presented and enter the code generated by the app in your smartphone.
    • Click the Verify button.

    Note: 

    For users with Duo Security as the preferred authentication service, in the case of loss/replacement of your smartphones, TFA can still be performed smoothly by deleting the account in Duo. Follow the above steps, choose Duo Security as your preferred authentication method, and enable Duo Security once again to start from scratch.

    Copyright © 2019, ZOHO Corp.All Rights Reserved.