Two Factor Authentication in OpManager

Two factor authentication Two factor authenticationTwo Factor Authentication

Two Factor Authentication (TFA) provides an additional level of authentication and improves security by requiring the user to provide a unique time-based one time password (TOTP) generated through Authenticator Apps, or as a one time password (OTP) sent to the user's configured Email address. TFA strengthens authentication and prevents unauthorized access.

Note: This feature is available from OpManager version 125415.

Steps to configure TFA in OpManager

  1. Go to Settings - > General Settings -> Authentication -> Two Factor Authentication.
  2. Select the "Enable Two Factor Authentication (TFA)" option.
  3. Choose the desired Authentication Mode: Authenticator Apps (TOTP via Authenticator apps including but not limited to Google Authenticator, Microsoft Authenticator, Duo etc.) or Email Authentication (OTP sent to the user's configured Email address).
    Note: Mail Server Settings need to be configured for the Email Authentication Mode.
  4. Enter the number of days you want to allow the User's browser to be trusted for. That is, the User won't be required to provide TOTP/OTP while logging in on that browser for the specified number of days. This will be applicable if the user selects the check box to trust the browser during login.
  5. Click 'Save'.
    Note: If 'Authenticator Apps' is chosen as the mode of Authentication, all users will be prompted to set up their Authenticator app during their next login.

    If Authenticator Apps is the chosen mode of Authentication:

  6. During next login, install and follow the steps shown on screen to configure your desired Authenticator app on your mobile device.
  7. Enter the OTP generated in the Authenticator app/Email to login.

Troubleshooting steps

  • In the case of TOTP based authentication,
    • Since TOTP is time based, the time in the configured mobile device must be in sync with the server time.
    • In the event that a new TOTP secret is required due to the loss of the mobile device configured or for any other such reason, the Admin User can go to Settings -> General Settings -> Authentication and click on the 'Reset TOTP secret' icon under 'Actions' for the respective User.
    • If the default 'admin' user is unable to login to the product, and has lost the configured mobile device, execute the following script, "ResetSuperAdminTOTP.bat/sh" to reset the super admin password.
  • In the case of Email based authentication,
    • When the mode of Authentication is chosen as 'Email' then the OTP will be sent via Email to the User's configured Email ID. So please ensure that you have configured the correct Email ID. The admin user has the privileges to configure the correct Email ID, if the configured Email ID was not correct.
    • If the users are unable to receive the OTP via Email due to change in mail server configuration, execute the following script, "DisableTFA.bat/sh" to disble TFA temporarily.

Steps to execute the script

There might be a scenario where the Mail server would have issues in sending OTP through mail. Or if the Mobile device in which the TOTP Authenticator app configured was lost or not accessible. In such scenarios, the OpManager server UI will not be accessible since OTP prompt could not be passed.

In such cases, for versions older than version 127257, contact our support. From versions 127257 and above, follow the below steps,

  • Stop the OpManager service completely and open <OpManager_Home>/logs/wrapper.log file and check if the following line is available at the end of the file. This is to ensure if OpManager service is stopped completely.
  • For windows, Open command prompt as administrator user in the OpManager installed server machine. For Linux, open the terminal as root user.
  • Navigate to <opmanager_home>/bin directory and execute the script file.
  • A prompt will be shown to provide Super Admin user password in order to validate the operation.
  • Success message will be shown upon successful script execution.

Possible errors and resolution

Access is denied. Please execute this script with administrator privilege.

  • For windows, the script should be executed as an Administrator user in the OpManager installed machine. For Linux, root user access is required to run the script. In case of insufficient access, the above error message will be shown.

Server is currently running. Please shutdown the server to run this script.

  • OpManager service should be stopped completely in order to run the script. Stop the OpManager service either through services or by executing <opmanager_home>/bin/shutdown.bat/sh script.
  • Open <OpManager_Home>/logs/wrapper.log file and check if the following line is available at the end of the file. This is to ensure if OpManager service is stopped completely.

Invalid super-admin user password

The super admin user password provided is invalid. Any further operation will be restricted and script execution will be terminated. A valid super admin user password should be provided in order to perform the operation successfully.

For any further queries, kindly reach out to opmanager-support@manageengine.com.

Thank you for your feedback!

Was this content helpful?

We are sorry. Help us improve this page.

How can we improve this page?
Do you need assistance with this topic?
By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.