Two-factor Authentication

Two-factor Authentication

 

To strengthen user logon security, ADSelfService Plus supports two-factor authentication. Once enabled, ADSelfService Plus will require users' to authenticate using one of the authentication mechanisms below in addition to the Active Directory credentials whenever they log in.



 

Set up 2-factor authentication

RSA SecurId

 

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by Security Dynamics (later RSA Security and now RSA, The Security Division of EMC) for performing two-factor authentication for a user to a network resource. Users can use the security codes generated by the RSA SecurID mobile app or Hardware tokens or tokens received in their mail or mobile to log in to ADSelfService Plus.

 

Steps to Integrate RSA SecurId with ADSelfService Plus

  1. Log in to your RSA admin console (e.g., https://adssp-rsa.csez.zohocorpin.com/sc).

  2. Go to Applications. Under Authentication Agents, Click Add New.

  3. Add ADSelfService Plus Server as an Authentication agent and click Save.

  4. Go to Applications. Under Authentication Agents, Click Generate Configuration File.

  5. Download AM_Config.zip (Authentication Manager config).

  6. Extract sdconf.rec from the zip to <ADSSP-installation-dir>/bin. If there is a file named securid ( node secret file ), copy it too.

That's it ! You are now ready to use RSA SecurId with ADSelfService Plus.

Troubleshooting: Log in to your RSA admin console and go to Reporting tab. Under Real time Activity Monitors, click Authentication Activity Monitor. Now click Start Monitor.

 

Verification Code

 

When this option is selected, ADSelfService Plus sends a verification code via email and SMS to the user's registered email address and mobile number. The user has to enter the verification code to successfully login.

The email address and mobile number used for sending the verification code will be taken from the users' enrollment data as well as from Active Directory.

To specify which attributes are to be used to fetch the email address and mobile number from AD:

  1. Go to Admin → Product Settings → Server Settings → Mail/Mobile attributes

  2. Select a domain and then select the attribute type (mail or mobile).

  3. Select the attributes. To add another attribute click Add more.

You can select both email and SMS for sending the verification codes or any one.

 

Email Verification Code

  1. Make sure you've configured the Mail Server

  2. Customize Subject and Message.

SMS Verification Code

  1. Make sure you've configured the SMS Server

  2. Customize Message.

 

Duo Security

 

Duo Security is a two-step verification service that provides additional security while accessing applications. Users can use the six digit security codes generated by the Duo mobile app to log in to ADSelfService Plus.

 

Steps to Integrate Duo Security with ADSelfService Plus

  1. Log in to your Duo Security account (e.g., https://admin-325d33c0.duosecurity.com) or Sign up for a new one and login.

  2. Go to Applications. Click Protect an Application.

  3. Search for Web SDK. Click Protect this Application.

  4. Copy Integration key, Secret key and API hostname to ADSelfService Plus and Save.

Note: If you are using older versions of Internet Explorer, then add the API hostname (e.g., https://api-325d33c0.duosecurity.com) and admin console (e.g., https://admin-325d33c0.duosecurity.com) as a trusted or intranet site.

 

RADIUS Authentication

 

Remote Authentication Dial-In User Service (RADIUS) is an industry standard client/server authentication protocol that enhances security by protecting networks from unauthorized access.

RADIUS based two-factor authentication for ADSelfService Plus can be configured in just two simple steps.

 

Step 1: Integrate RADIUS with ADSelfService Plus

  1. Log in to RADIUS server.

  2. Navigate to clients.conf file.(/etc/raddb/clients.conf).

  3. Add the following snippet in the clients.conf file.

  4. client AdsspServerName
    {
        ipaddr = xxx.xx.x.xxx
        secret = secretCode
        nastype = other
    }
  5. Restart RADIUS server.

 

Step 2: Configure ADSelfService Plus for RADIUS

Note: Username Pattern is case sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.

Once configured, users will have to provide their RADIUS passwords, in addition to their domain passwords, to gain access to ADSelfService Plus.

 


Go to Top
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine