One of the biggest difficulties when managing multiple client sites is dealing with the administrative burden of changing passwords when an employee leaves or changes roles in the business. This guide will assist you in configuring proxied delegation for use with the Multi-Site Administration. This configuration allows selected group members within AuthAnvil Two Factor Auth to have the ability to log into remote client sites using their own AuthAnvil Two Factor Auth token alongside a single domain or root credential, eliminating the need for multiple hardware tokens to provide strong authentication across sites.
An added benefit of this approach is that it makes it extremely easy and cost-effective to revoke such remote access across all client sites simultaneously by simply disabling a user’s token, or removing him from the primary grouped account.
Creating a Grouped User
Grouped Users are unique in that they act like normal users in AuthAnvil Two Factor Auth, but can have different members with different tokens assigned to them.
- First, open up AuthAnvil Two Factor Auth Manager, and then go to the ‘Users’ tab.
- Create a ‘Grouped User’ on your own corporate AuthAnvil Two Factor Auth SAS by mousing over the actions menu.
- Select ‘Add New Grouped User’.
- Enter in a username that will match with the administrative name on the remote client systems. Common examples include “Administrator” or “root”. For Windows administration, we recommend that you do not use the default domain administrator and instead use a secondary account named something unique yet common across all client sites. We suggest naming it something like ‘admintech’.
- Assign members to the ‘Grouped User’ by moving them from the ‘Available Members’ tab to the ‘Current Members’ tab.
- Click ‘Save Changes’ to complete the task.
Enabling IPs in IIS
If you have hardened your AuthAnvil Two Factor Auth server you may have reduced the attack surface of the AuthAnvil Two Factor Auth SAS to a limited set of IPs. If so, please follow the steps below to allow for access by the secondary AuthAnvil Two Factor Auth server(s):
- Go into the Internet Information Services (IIS) Manager on your primary AuthAnvil Two Factor Auth server at your office.
- Click on Web Sites > Default Websites.
- Right-click on AuthAnvil and go to Properties > Directory Security tab.
- Click Edit under the ‘IP address and domain name restrictions’ section.
- Enable the IP addresses for all client sites. Ensure the ‘Denied Access’ option is checked, as you want to continue to have every IP denied EXCEPT the addresses you enter. Click ‘Add’.
- Enter the IP addresses in manually, or click ‘DNS lookup’ to search by the domain name. Click ‘OK’ when finished.
- Follow steps 5 & 6 for each remote client site IP you wish to allow access from.
Create a Proxied User
In this step, we will create a proxied user for the client site. A Proxied User forwards authentication to a different AuthAnvil Two Factor Auth server for validation. This is how members of a Grouped User can manage all the machines remotely.
- Open up Anvil Manager on the remote client site where an AuthAnvil Two Factor Auth SAS is also installed. Go to the ‘Users’ tab.
- Create a ‘Proxied User’ named the same as the ‘Grouped User’ on your corporate AuthAnvil Two Factor Auth SAS such as ‘admintech’
- Point it your corporate AuthAnvil Two Factor Auth SAS. ie:https://yourmainserver.com/AuthAnvil/SAS.asmx
- Complete Steps 1-3 on any other client sites you want to provide multisite administration on.
- Install the AuthAnvil Two Factor Auth Windows Logon Agent on any client servers or workstation and ensure it is pointing its authentication to the local server.
Alternate Configuration – No client-side AuthAnvil Two Factor Auth server
On client sites where they do not have an AuthAnvil Two Factor Auth server, you can still offer centralized two-factor authentication. Instead of configuring the agents to the local AuthAnvil Two Factor Auth server like in the previous steps, simply configure them to your AuthAnvil Two Factor Auth server at your office. Just remember to configure an override password and/or security group so, in the case of net down situations, your staff can still log on.