Identity verification for the enterprise network using Zoho OneAuth

In enterprise networks, user identity verification is no longer carried out simply through usernames and passwords. This is because without additional authentication layers, i.e., multi-factor authentication, enterprise networks and resources become easy prey to credential-based attacks. This is why, in the current technological landscape, multi-factor authentication has become a mandatory part of every organization's authentication system.

A time-based one-time-passcode (TOTP) is a prevalent authentication method used for MFA. Zoho OneAuth, a multi-factor authenticator solution, offers a mobile-based TOTP authenticator for social and enterprise accounts. When implemented, the Zoho OneAuth OTP authenticator generates verification codes every 30 seconds, and users will have to enter the verification code within that time to complete authentication. In combination with credentials and other authentication methods such as biometrics, the TOTP authenticator proves to be a viable barrier against unauthenticated access.

Achieve holistic enterprise MFA with Zoho OneAuth

ManageEngine ADSelfService Plus supports the Zoho OneAuth OTP authenticator as a method to implement MFA during enterprise application logins along with:

• Local and remote Windows, macOS, and Linux logins.
• Microsoft Outlook Web Access and Exchange logins.
• Self-service password reset and account unlock.

Furthermore, implementing enterprise MFA with ADSelfService Plus provides the following benefits:

• Granular configuration: Implement MFA using particular authenticators for users belonging to specific groups, OUs, and domains.
• Adaptive MFA: The solution offers provisions to heighten, relax, or skip MFA during authentication based on IP address, time of access, geolocation, and device used.
• Detailed audit reports: Gain comprehensive insights on user activities such as identity verification failures and login attempts, and find users with weak passwords.
• Ensure 100% enrollment: Automate user enrollment by importing users' domain information through CSV files or force enrollment using login scripts.

How to configure MFA using Zoho OneAuth in ADSelfService Plus

Prerequisites:

1. SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to Admin → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.
2. Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
3. Endpoint MFA: Your ADSelfService Plus license must include the Endpoint MFA. Visit the store to purchase it. (Applicable to MFA for machine and OWA logins)
4. Install the ADSelfService Plus login agent: Click here to install the ADSelfService Plus login agent for Windows, macOS, and Linux on the machines where you want to enable MFA. (Applicable to MFA for machine logins)

Steps to configure:

1. Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
2. From the Choose the Policy drop-down, select a policy.
   Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups and choose the OUs or groups to which you want to apply the policy. You need to select at least one self-service feature. Finally, click Save Policy.
3. Click Zoho OneAuth TOTP.
4. Click the Enable Zoho OneAuth TOTP button.

   

Enable Zoho OneAuth TOTP-based MFA for machine logins

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
3. In the MFA for Machine Logins section, check the box next to Enable __ authentication factors, select the number of authentication methods, and select Zoho OneAuth TOTP along with any other configured authenticators from the drop-down.
4. Click on the asterisk (*) next to the authentication method to set it as mandatory. You can also reorder the authenticators.
5. Click Save Settings.

Enable Zoho OneAuth TOTP-based MFA for enterprise application logins

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Applications.
2. Select a policy from the Choose the Policy drop-down.
3. In the MFA for Cloud Applications section, check the box next to Enable __ authentication factors, select the number of authentication methods, and select Zoho OneAuth TOTP along with any other configured authenticators from the drop-down.
4. Click on the asterisk (*) next to the authentication method to set it as mandatory. You can also reorder the authenticators.
5. Click Save Settings.

Enable Zoho OneAuth TOTP-based MFA for OWA

Step 1: Configuring MFA for OWA

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
2. Click the Choose the Policy drop-down and select a policy. This will determine which authentication methods are enabled for which sets of users.
3. In the MFA for OWA Login section, check the box next to Enable __ authentication factors, select the number of authentication methods, and select Zoho OneAuth TOTP along with any other configured authenticators from the drop-down.
4. Click on the asterisk (*) next to the authentication method to set it as mandatory. You can also reorder the authenticators.
5. Click Save Settings.

Step 2: Install the ADSelfService Plus MFA Connector

The Internet Information Services MFA extension must be installed in Exchanger Server to enable MFA for OWA and Exchange admin center logins. It triggers the request for the completion of other authentication factors after the primary password authentication is successful.

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
2. Navigate to MFA for OWA and click on the help icon.
3. Download the ADSelfService Plus MFA Connector from the pop-up that appears.
4. Copy the extension file (AdsspOWAIISModule.zip) to the Windows server that you have configured as the Exchange server. Extract the ZIP file’s content and save it in any location.
5. Open PowerShell (x64) as an administrator and navigate to the folder where the content of the extension files is located.
6. Execute the following command:
   PS C:\> .\setupIISMFAModule.ps1 Install