This guide will instruct you on how to properly set up proxied users, grouped members, and how to configure Internet Information Services to properly support the addition of strong authentication for multi-site administration with AuthAnvil Two Factor Auth. This in turn empowers you as an AuthAnvil Two Factor Auth administrator to simultaneously revoke administrative rights to all remote sites for any grouped member with a simple click in your AuthAnvil Two Factor Auth Manager, saving you time and money in reactionary administration by going to each client site and deleting that member. This is a very powerful and useful feature.
A few definitions may help to guide you through this implementation guide:
Grouped User: An account in which multiple members may belong. A member must be an AuthAnvil Two Factor Auth user assigned an AuthAnvil Two Factor Auth token.
Proxied User: An account which delegates authentication to another AuthAnvil Two Factor Auth server.
One of the biggest difficulties when managing multiple client sites is dealing with the administrative burden of changing passwords when an employee leaves or changes roles in the business. This guide will assist you in configuring proxied delegation for use with Multi-Site Administration. This configuration allows selected group members within AuthAnvil Two Factor Auth to have the ability to log into remote client sites using their own AuthAnvil Two Factor Auth token alongside a single domain or root credential, eliminating the need for multiple hardware tokens to provide strong authentication across sites.
An added benefit of this approach is that it makes it extremely easy and cost effective to revoke such remote access across all client sites simultaneously by simply disabling a user’s token, or removing him from the primary grouped account.
Creating a Grouped User
Grouped Users are unique in that they act like normal users in AuthAnvil Two Factor Auth, but can have different members with different tokens assigned to them.
Step 1 - First open up AuthAnvil Two Factor Auth Manager, and then go to the ‘Users’ tab.
Step 2- Create a ‘Grouped User’ on your own corporate AuthAnvil Two Factor Auth SAS by mousing over the actions menu.
Step 3- Select ‘Add New Grouped User’.
Step 4 - Enter in a username that will match with the administrative name on the remote client systems. Common examples include “Administrator” or “root”. For Windows administration, we recommend that you do not use the default domain administrator and instead use a secondary account named something unique yet common across all client sites. We suggest naming it something like ‘admintech’.
Step 5- Assign members to the ‘Grouped User’ by moving them from the ‘Available Members’ tab to the ‘Current Members’ tab.
Step 6 – Click ‘Save Changes’ to complete the task.
Enabling IPs in IIS
If you have hardened your AuthAnvil Two Factor Auth server you may have reduced the attack surface of the AuthAnvil Two Factor Auth SAS to a limited set of IPs. If so, please follow the steps below to allow for access by the secondary AuthAnvil Two Factor Auth server(s):
Step 1 – Go in to the Internet Information Services (IIS) Manager on your primary AuthAnvil Two Factor Auth server at your office.
Step 2 - Click on Web Sites > Default Websites.
Step 3 - Right click on AuthAnvil and go to Properties > Directory Security tab.
Step 4 - Click Edit under the ‘IP address and domain name restrictions’ section.
Step 5 - Enable the IP addresses for all client sites. Ensure the ‘Denied Access’ option is checked, as you want to continue to have every IP denied EXCEPT the addresses you enter. Click ‘Add’.
Step 6 – Enter the IP addresses in manually, or click ‘DNS lookup’ to search by domain name. Click ‘OK’ when finished.
Step 7 - Follow steps 5 & 6 for each remote client site IP you wish to allow access from.
Create a Proxied User
In this step we will create a proxied user for the client site. A Proxied User forwards authentication to a different AuthAnvil Two Factor Auth server for validation. This is how members of a Grouped User can manage all the machines remotely.
Step 1 - Open up Anvil Manager on the remote client site where an AuthAnvil Two Factor Auth SAS is also installed. Go to the ‘Users’ tab.
Step 2 - Create a ‘Proxied User’ named the same as the ‘Grouped User’ on your corporate AuthAnvil Two Factor Auth SAS such as ‘admintech’
Step 3 - Point it your corporate AuthAnvil Two Factor Auth SAS. ie: https://yourmainserver.com/AuthAnvil/SAS.asmx
Step 4 - Complete Steps 1-3 on any other client sites you want to provide multisite administration on.
Step 5 - Install the AuthAnvil Two Factor Auth Windows Logon Agent on any client servers or workstation and ensure it is pointing its authentication to the local server. See the AuthAnvil Two Factor Auth Windows Logon Implementation Guide for further instructions on how to install.
Alternate Configuration – No client side AuthAnvil Two Factor Auth server
On client sites where they do not have an AuthAnvil Two Factor Auth server, you can still offer centralized two-factor authentication. Instead of configuring the agents to the local AuthAnvil Two Factor Auth server like in the previous steps, simply configure them to your AuthAnvil Two Factor Auth server at your office. Just remember to configure an override password and/or security group so in the case of net down situations, your staff can still log on.