TheAuthAnvil Two Factor Auth Web Logon Agentoffers companies the ability to add strong two-factor authentication Web directories or web applications running on IIS. Below is a step-by-step guide explaining how to install and configure the agent.
Note: This integration is only compatible with IIS 6/7. IIS 8 is not supported.
- Download the Web Logon Agent Installer as instructed at https://help.scorpionsoft.com/entries/88988058
- ClickRunto start the install immediately orSaveto manually start the installer.
- ClickNexton the welcome installer dialog after ensuring the recommendations are met.
- Review the license agreement and when satisfied enable theI Agreecheckbox and clickNext.
- Select the path to which the Web Logon Agent will be installed then clickNext. The default isC:\Program Files\Scorpion Software
- ClickNextto install the agent.
- Once the installation completes, clickFinishto close the installation wizard and to optionally launch the AuthAnvil Web Logon Configuration Wizard.
Global Security Configuration Wizard
First a user needs to be set up which will be used to poll Active Directory to obtain the groups and group members. This user will be used by the web logon agent when it needs to find the list of groups later on in the configuration.
When prompted, enter a username and password. This user must have impersonation rights on the domain. We used the administrator account for demonstration purposes; ideally use a user that has minimal rights and who has impersonation rights on the domain.
- After the information has been entered, hitTest Logonin order to complete the Wizard.
Note:This may take up to 10 seconds to complete. On completion the confirmed user should return the username you entered.
- ClickFinishto close the Global Security Wizard and proceed with theAuthAnvil Web Logon Configuration Wizardin order to configure new sites for the web logon agent.
Note:The Global Security Configuration Wizard only runs once on initial install. If you need to reset the account used for AD queries, you can run the tool manually at anytime.
Protecting a Website
TheAuthAnvil Web Logon Configuration Wizardallows for the configuration of protection scopes inside Internet Information Server (IIS).Please note that the entire configuration wizard MUST finish before changes will be set in the web logon agent.This guide will start withSelect a New Site to Protectand use an intranet site as an example. Once the AuthAnvil Two Factor Auth Web Logon Agent has been installed, you can access the settings by opening theAuthAnvil Web Logon Configuration Wizardfrom the programs start menu.
ClickStart > All Programs > Scorpion Software > AuthAnvil Web Logon Agent > AuthAnvil Web Logon Agent Configuration Tool
- After clickingNexton the Configuration Utility Window, chooseEnable Protectionfor aWeb Directory.
- Choose from a list of unprotected web sites, or a virtual directory within that site, to protect.Sites already protected will be grayed out or may not be present.
- In this step configure the protection settings for the web logon agent, such as the Primary AuthAnvil 2FA SAS URL and Primary Site ID. ClickNextwhen complete.
Note:You can use an AuthAnvil Strong Authentication Server that is not local by using a Fully Qualified Domain Name. ie.https://domain.com/AuthAnvil/SAS.asmx. Open the url in a browser to ensure the server can see the web service and that it trusts the SSL certificate.
Security Note:Use SSL so that the authentication PIN and password are encrypted during transmission. SSL is required to use the Web Logon Agent regardless of whether you choose to set this or not.
- IP addresses appearing in the IP whitelist will not require authentication; browsers will open the protected site immediately. You can add individual IPs or a range. Once you are finished, clickAddthenNext. You can include up to 1500 IPs. Once done, clickNext.
Note:Some web applications use the localhost for their own internal services and require open communication to the localhost. (Windows SharePoint Services Companyweb and Kaseya are examples of this.) You may need to implement an additional registry key to allow the application full access to localhost. Details on this are in the Localhost White Listing section of the appendix of this document.
Note: for ISA Proxy Users:Due to payload inspection of the proxy server in ISA, you need to reconfigure port 4260 to allow SSL traffic. You can do this by using the ISA TPR script available athttp://www.isatools.org/tools/isa_tpr.js
Usage:cscript isa_tpr.js /add AAWL 4260
- Select the Authorized Groups that the web logon agent will allow authorization for to this protected application. By default it is set toEveryone.By selecting a specific Security Group, only those members will be authorized to access this protected resource.
Note: The Everyone group ALSO covers accounts NOT in Active Directory. If Everyone is set, then no AD Security Group check is performed. It must be set to either Everyone OR the selected groups.
Security Note:Adding only the groups that need access will reduce the attack surface of the protected web application and restrict who will be allowed to authenticate. Users will therefore be required to both have a valid authentication token and be in an authorized group before being permitted access.
- Review the affected web directory and ensure it is correct. ClickFinishto apply the settings.
Add a certificate to the AuthAnvilLogon site in IIS.
The installer creates a new website in IIS called AuthAnvilLogon. This site is where all browsers are redirected to for authentication. After doing so, the browser is redirected back to the original requested site.
Note:You will require an existing certificate on the server. You can create self-signed certificates in SBS with the Certificate wizard or use SelfSSL tool available in the IIS6 resource kit available from Microsoft.
Security Note:If your site will be externally available, you may want to use a 3rd party certificate authority to create your certificate. Doing so makes it easier for browsers to trust the certificate applied to the protected resource without having to manually trust them.
- Open IIS Manager by clickingStart >Administrative Tools > Internet Information Services (IIS) Manager
- Open the Web Sites folder and right click on theAuthAnvilLogon site.Click onproperties.
- Click onDirectory Securitytab and in the secure communications area click theServer Certificatebutton.
- The Web Server Certificate wizard will start. ClickNext.
- Enable the optionAssignan existing certificate. ClickNext.
- Select your certificate you want to use, then clickNext.
- Confirm SSL port is 4260 then clickNext.
- Complete the wizard by clickingFinish
Critical Note:You must open port 4260 on your firewall, otherwise users will get a 404 Page cannot be displayed error.
Note: regarding ISA Proxy:If you use ISA proxy, you must allow SSL traffic on port 4260.
Edit Settings for a Protected Site
Editing a protection scope on a web application is no different than creating it. The only thing to be aware of is that an iisreset will be required to ensure the agent resident in memory is reset. The wizard will prompt for this; alternately you can run it manually by opening a run prompt and typing iisreset and then clicking OK.
Note:Failing to perform an iisreset after an edit may not result in the setting being applied until IIS reloads it.
Tip:Remember that an iisreset will halt all current web sessions. It is recommended you make such changes during non-peak work hours.
If any of your protected virtual directories are accessed externally, (ie. OWA) you will need to configure ISA to allow the AuthAnvilImages folder through. If it is not configured, the authentication page will show no graphics and will not properly display some errors. If you are not using ISA then please disregard this step. In this example well use OWA, however you may need to look for a specific rule related to your virtual directory.
When you ran the internet connection wizard creates a rule called SBS OWA Web Publishing Rule. Modify the existing rule and add /AuthAnvilImages/* to the Paths tab.
Localhost White Listing
Some web applications install to the localhost address and may require unrestricted access to function properly. Windows SharePoint Services for companyweb and Kaseya are such examples of this. In such cases you will need to add a key in the registry to accommodate this.
Security Note:This setting disables strong authentication completely on the IIS server when accessing the localhost site, and should only be used if needed. Any value in the key other than 1 will disable this.
- Launch the registry editor by opening a run prompt and enteringregeditand clicking OK.
- Browse to the following key:HKEY_LOCAL_MACHINESOFTWAREScorpion SoftwareAuthAnvilWebLogon
- Add a new entry with the following settings:
- Close the registry editor and open a new browser window to test that the reg key is now being used.
If changes are made to the MIME settings on a WEBSITE a dialog in IIS will ask if a copy should be made to the ScriptMaps toallchild nodes. IfYesis selected, theAAWebLogonextension will also be copied toallchild nodes.
If this happens all references to the dll will need to be removed. This can be done by selecting a virtual directory in IIS > right click and chooseProperties. Under theHomeDirectorytab click theConfigurationtab and remove the reference to theaaweblogon.dllin the bottom pane. An iisreset will be needed to affect the changes. Open a run prompt and enteriisresetand clickOK.
If you have any questions or need some help, we would be happy to assist. Open a case atkaseya.zendesk.com