The AuthAnvil Two Factor Auth Web Logon Agent offers companies the ability to add strong two-factor authentication Web directories or web applications running on IIS. Below is a step-by-step guide explaining how to install and configure the agent.
Note: This integration is only compatible with IIS 6/7. IIS 8 is not supported.
- Download the Web Logon Agent Installer as instructed at https://helpdesk.kaseya.com/entries/88988058
- Click Run to start the install immediately or Save to manually start the installer.
- Click Next on the welcome installer dialog after ensuring the recommendations are met.
- Review the license agreement and when satisfied enable the I Agree checkbox and click Next.
- Select the path to which the Web Logon Agent will be installed then click Next. The default is C:\Program Files\Scorpion Software
- Click Next to install the agent.
- Once the installation completes, click Finish to close the installation wizard and to optionally launch the AuthAnvil Web Logon Configuration Wizard.
Global Security Configuration Wizard
First a user needs to be set up which will be used to poll Active Directory to obtain the groups and group members. This user will be used by the web logon agent when it needs to find the list of groups later on in the configuration.
When prompted, enter a username and password. This user must have impersonation rights on the domain. We used the administrator account for demonstration purposes; ideally use a user that has minimal rights and who has impersonation rights on the domain.
- After the information has been entered, hit ‘Test Logon’ in order to complete the Wizard.
Note: This may take up to 10 seconds to complete. On completion the confirmed user should return the username you entered.
- Click Finish to close the Global Security Wizard and proceed with the AuthAnvil Web Logon Configuration Wizard in order to configure new sites for the web logon agent.
Note: The Global Security Configuration Wizard only runs once on initial install. If you need to reset the account used for AD queries, you can run the tool manually at anytime.
Protecting a Website
The AuthAnvil Web Logon Configuration Wizard allows for the configuration of protection scopes inside Internet Information Server (IIS). Please note that the entire configuration wizard MUST finish before changes will be set in the web logon agent. This guide will start with ‘Select a New Site to Protect’ and use an intranet site as an example. Once the AuthAnvil Two Factor Auth Web Logon Agent has been installed, you can access the settings by opening the AuthAnvil Web Logon Configuration Wizard from the program’s start menu.
Click Start > All Programs > Scorpion Software > AuthAnvil Web Logon Agent > AuthAnvil Web Logon Agent Configuration Tool
- After clicking Next on the Configuration Utility Window, choose Enable Protection for a Web Directory.
- Choose from a list of unprotected web sites, or a virtual directory within that site, to protect. Sites already protected will be grayed out or may not be present.
- In this step configure the protection settings for the web logon agent, such as the Primary AuthAnvil 2FA SAS URL and Primary Site ID. Click Next when complete.
Note: You can use an AuthAnvil Strong Authentication Server that is not local by using a Fully Qualified Domain Name. ie. https://domain.com/AuthAnvil/SAS.asmx. Open the url in a browser to ensure the server can see the web service and that it trusts the SSL certificate.
Security Note: Use SSL so that the authentication PIN and password are encrypted during transmission. SSL is required to use the Web Logon Agent regardless of whether you choose to set this or not.
- IP addresses appearing in the IP whitelist will not require authentication; browsers will open the protected site immediately. You can add individual IP’s or a range. Once you are finished, click Add then Next. You can include up to 1500 IPs. Once done, click Next.
Note: Some web applications use the localhost for their own internal services and require open communication to the localhost. (Windows SharePoint Services Companyweb and Kaseya are examples of this.) You may need to implement an additional registry key to allow the application full access to localhost. Details on this are in the ‘Localhost White Listing’ section of the appendix of this document.
Note: for ISA Proxy Users: Due to payload inspection of the proxy server in ISA, you need to reconfigure port 4260 to allow SSL traffic. You can do this by using the ISA TPR script available athttp://www.isatools.org/tools/isa_tpr.js
Usage: cscript isa_tpr.js /add AAWL 4260
- Select the Authorized Groups that the web logon agent will allow authorization for to this protected application. By default it is set to Everyone. By selecting a specific Security Group, only those members will be authorized to access this protected resource.
Note: The ‘Everyone’ group ALSO covers accounts NOT in Active Directory. If ‘Everyone’ is set, then no AD Security Group check is performed. It must be set to either ‘Everyone’ OR the selected groups.
Security Note: Adding only the groups that need access will reduce the attack surface of the protected web application and restrict who will be allowed to authenticate. Users will therefore be required to both have a valid authentication token and be in an authorized group before being permitted access.
- Review the affected web directory and ensure it is correct. Click ‘Finish’ to apply the settings.
Add a certificate to the AuthAnvilLogon site in IIS.
The installer creates a new website in IIS called AuthAnvilLogon. This site is where all browsers are redirected to for authentication. After doing so, the browser is redirected back to the original requested site.
Note: You will require an existing certificate on the server. You can create self-signed certificates in SBS with the Certificate wizard or use SelfSSL tool available in the IIS6 resource kit available from Microsoft.
Security Note: If your site will be externally available, you may want to use a 3rd party certificate authority to create your certificate. Doing so makes it easier for browsers to trust the certificate applied to the protected resource without having to manually trust them.
- Open IIS Manager by clicking Start >Administrative Tools > Internet Information Services (IIS) Manager
- Open the Web Sites folder and right click on the AuthAnvilLogon site. Click onproperties.
- Click on Directory Security tab and in the secure communications area click the Server Certificate button.
- The Web Server Certificate wizard will start. Click Next.
- Enable the option Assign an existing certificate. Click Next.
- Select your certificate you want to use, then click Next.
- Confirm SSL port is 4260 then click Next.
- Complete the wizard by clicking Finish
Critical Note: You must open port 4260 on your firewall, otherwise users will get a 404 – Page cannot be displayed error.
Note: regarding ISA Proxy: If you use ISA proxy, you must allow SSL traffic on port 4260.
Edit Settings for a Protected Site
Editing a protection scope on a web application is no different than creating it. The only thing to be aware of is that an iisreset will be required to ensure the agent resident in memory is reset. The wizard will prompt for this; alternately you can run it manually by opening a run prompt and typing iisreset and then clicking OK.
Note: Failing to perform an iisreset after an edit may not result in the setting being applied until IIS reloads it.
Tip: Remember that an iisreset will halt all current web sessions. It is recommended you make such changes during non-peak work hours.
If any of your protected virtual directories are accessed externally, (ie. OWA) you will need to configure ISA to allow the AuthAnvilImages folder through. If it is not configured, the authentication page will show no graphics and will not properly display some errors. If you are not using ISA then please disregard this step. In this example we’ll use OWA, however you may need to look for a specific rule related to your virtual directory.
When you ran the internet connection wizard creates a rule called SBS OWA Web Publishing Rule. Modify the existing rule and add /AuthAnvilImages/* to the Paths tab.
Localhost White Listing
Some web applications install to the localhost address and may require unrestricted access to function properly. Windows SharePoint Services for companyweb and Kaseya are such examples of this. In such cases you will need to add a key in the registry to accommodate this.
Security Note: This setting disables strong authentication completely on the IIS server when accessing the localhost site, and should only be used if needed. Any value in the key other than 1 will disable this.
- Launch the registry editor by opening a run prompt and entering regedit and clicking OK.
- Browse to the following key: HKEY_LOCAL_MACHINESOFTWAREScorpion SoftwareAuthAnvilWebLogon
- Add a new entry with the following settings:
- Close the registry editor and open a new browser window to test that the reg key is now being used.
If changes are made to the MIME settings on a WEBSITE a dialog in IIS will ask if a copy should be made to the ‘ScriptMaps’ to all child nodes. If Yes is selected, the AAWebLogon extension will also be copied to all child nodes.
If this happens – all references to the dll will need to be removed. This can be done by selecting a virtual directory in IIS > right click and choose Properties. Under the Home Directory tab click theConfiguration tab and remove the reference to the aaweblogon.dll in the bottom pane. An iisreset will be needed to affect the changes. Open a run prompt and enter iisreset and click OK.