One of the biggest difficulties when managing multiple client sites is dealing with the administrative burden of changing passwords when an employee leaves or changes roles in the business. This guide will assist you in configuring proxied delegation for use with Multi-Site Administration. This configuration allows selected group members within AuthAnvil Two Factor Auth to have the ability to log into remote client sites using their own AuthAnvil Two Factor Auth token alongside a single domain or root credential, eliminating the need for multiple hardware tokens to provide strong authentication across sites.
An added benefit of this approach is that it makes it extremely easy and cost effective to revoke such remote access across all client sites simultaneously by simply disabling a users token, or removing him from the primary grouped account.
Creating a Grouped User
Grouped Users are unique in that they act like normal users in AuthAnvil Two Factor Auth, but can have different members with different tokens assigned to them.
- First open up AuthAnvil Two Factor Auth Manager, and then go to the Users tab.
- Create a Grouped User on your own corporate AuthAnvil Two Factor Auth SAS by mousing over the actions menu.
- Select Add New Grouped User.
- Enter in a username that will match with the administrative name on the remote client systems. Common examples include Administrator or root. For Windows administration, we recommend that you do not use the default domain administrator and instead use a secondary account named something unique yet common across all client sites. We suggest naming it something like admintech.
- Assign members to the Grouped User by moving them from the Available Members tab to the Current Members tab.
- Click Save Changes to complete the task.
Enabling IPs in IIS
If you have hardened your AuthAnvil Two Factor Auth server you may have reduced the attack surface of the AuthAnvil Two Factor Auth SAS to a limited set of IPs. If so, please follow the steps below to allow for access by the secondary AuthAnvil Two Factor Auth server(s):
- Go in to the Internet Information Services (IIS) Manager on your primary AuthAnvil Two Factor Auth server at your office.
- Click on Web Sites > Default Websites.
- Right click on AuthAnvil and go to Properties > Directory Security tab.
- Click Edit under the IP address and domain name restrictions section.
- Enable the IP addresses for all client sites. Ensure the Denied Access option is checked, as you want to continue to have every IP denied EXCEPT the addresses you enter. Click Add.
- Enter the IP addresses in manually, or click DNS lookup to search by domain name. Click OK when finished.
- Follow steps 5 & 6 for each remote client site IP you wish to allow access from.
Create a Proxied User
In this step we will create a proxied user for the client site. A Proxied User forwards authentication to a different AuthAnvil Two Factor Auth server for validation. This is how members of a Grouped User can manage all the machines remotely.
- Open up Anvil Manager on the remote client site where an AuthAnvil Two Factor Auth SAS is also installed. Go to the Users tab.
- Create a Proxied User named the same as the Grouped User on your corporate AuthAnvil Two Factor Auth SAS such as admintech
- Point it your corporate AuthAnvil Two Factor Auth SAS. ie:https://yourmainserver.com/AuthAnvil/SAS.asmx
- Complete Steps 1-3 on any other client sites you want to provide multisite administration on.
- Install the AuthAnvil Two Factor Auth Windows Logon Agent on any client servers or workstation and ensure it is pointing its authentication to the local server. See the AuthAnvil Two Factor Auth Windows Logon Implementation Guide for further instructions on how to install.
Alternate Configuration No client side AuthAnvil Two Factor Auth server
On client sites where they do not have an AuthAnvil Two Factor Auth server, you can still offer centralized two-factor authentication. Instead of configuring the agents to the local AuthAnvil Two Factor Auth server like in the previous steps, simply configure them to your AuthAnvil Two Factor Auth server at your office. Just remember to configure an override password and/or security group so in the case of net down situations, your staff can still log on.
If you have any questions or need some help, we would be happy to assist. Open a case at kaseya.zendesk.com .