How to configure two-factor authentication (2FA) for technicians in ADManager Plus?

How to configure two-factor authentication (2FA) for technicians in ADManager Plus?

 Objective:

To configure two-factor authentication (2FA) for technicians in ADManager Plus.


Solution:

You can configure a secured login to the ADManager Plus console by configuring two-factor authentication (2FA). If ADManager Plus technicians have 2FA enabled, they must authenticate twice: first by entering their credentials and then by any other method enabled by the admin to login to the console. However, the ADManager Plus default admin account is allowed to skip 2FA.

ADManager Plus allows 2FA to be performed through authentication services such as:

  • Duo Security

  • Google Authenticator

  • RSA Authenticator

  • Microsoft Authenticator

  • SMS Verification

  • One time password (OTP) via email.

 

Steps to configure 2FA in ADManager Plus using different applications

  1. Login to ADManager Plus and click the Delegation tab.

  2. Under the Configuration section in the left pane, click Logon Settings.

  3. Click the Two Factor Authentication tab.

  4. Toggle the Two Factor Authentication button on.

  5. Select any of the following authentication services for 2FA:

    1. Duo Security

      1. Login to your Duo Security account, and navigate to the Applications > Protect an application section in the left pane.

      2. Search for Web SDK from the list of applications and click Protect. Refer here for more information on Web SDKv4

      3. Copy the Client ID, Client secret, and API hostname.

      4. Now, go to the ADManager Plus console and expand Duo Security.

      5. Check the Enable Duo Security option and select Web v4 SDK as the Integration Type.

      6. Paste the Client ID, Client secret, and API hostname obtained from the Duo Admin Panel in the respective fields.

      7. Enter the same username pattern used in Duo Security in the Username Pattern field.

      8. Click Save.

 

    1. Google Authenticator

      1. Install and set up Google Authenticator on your smartphone by following the steps listed on this page.

      2. Switch to ADManager Plus and expand Google Authenticator.

      3. Click the Enable Google Authenticator button.

      4. While logging in to ADManager Plus, enter the code generated by the Google Authenticator app in your smartphone, in addition to your username and password.

    1. One time password via email

In order to receive OTP via email, you need to configure the email server settings in the product.

      1. Expand One time password via email and check the One time password via email option.

      2. Enter a subject and draft a message using Macros in the Subject and Message fields, respectively.

      3. Click Save.

    1. RSA Authenticator

RSA SecurID is a 2FA mechanism developed by the RSA, the Security Division of EMC, for users attempting to access a network resource. Users can use the security codes generated by the RSA SecurID mobile app, a hardware token, or a token sent to their email or mobile device to log in to ADManager Plus. You can  follow the steps below to configure RSA SecurID for SDK integration.

Steps to configure RSA SecurID for SDK integration:

      1. Log in to your RSA admin console (e.g., https://RSAmachinename.domain DNS name/sc).

      2. Go to the Access tab.

      3. Under Authentication Agents, click Add New.

      4. Add ADManager Plus Server as an Authentication Agent and click Save.

      5. Navigate back to the Access tab. Under Authentication Agents, click Generate Configuration File.

      6. Download the AM_Config.zip file.

      7. Copy the Authentication Manager configuration file, sdconf.rec from the zip and paste it in <-installation-dir>/bin. If there is a file named securid (node secret file), copy and paste it, too.

Note:

        • Ensure that the JAR files mentioned below are extracted from RSA SecurID and placed in the <ADManagerPlus_install_directory>/lib folder:

          • authapi.jar

          • Log4j.jar

          • certj.jar

          • commons-logging.jar

          • cyrptojce.jar

          • cryptojcommon.jar

          • jcmFIPS.jar

          • sslj.jar

          • xmlsec.jar

        • Restart ADManager Plus after adding the files.

 

    1. Microsoft Authenticator

    1. Install and set up Microsoft Authenticator on your smartphone.

    2. Navigate to ADManager Plus and expand Microsoft Authenticator.

    3. Check the Enable Microsoft Authenticator option.

    4. While logging in to ADManager Plus, enter the code generated by the Microsoft Authenticator app in your smartphone, in addition to your username and password.

    1. SMS verification

To enable SMS verification as an authentication method, configure SMS gateway settings in ADManager Plus and follow these steps:

      1. Expand SMS Verification and check the Enable SMS Verification box.

      2. In the Message field, enter the SMS content using macros and click Save.

        • Steps to enroll your phone number

          1. Login to ADManager Plus using your account credentials.

          2. In the Log in using SMS Verification page that opens up, enter your phone number and click Send Code.

          3. Enter the six-digit secret code you received via SMS in the field. If needed, enable the Trust this browser option to skip this step for the next 180 days.

          4. Click the Verify code to verify.


                    New to ADSelfService Plus?

                      • Related Articles

                      • Is it possible to use a third-party email provider for two-factor authentication in ADManager Plus

                        Yes, third party email address can be used for two-factor authentication. While logging to ADManager Plus for the first time after enabling One time password via email option in two-factor authentication, the technician/user is prompted to enter the ...
                      • Best practices to enhance the protection of ADManager Plus

                        This article lists some of the best practices that you can use to secure ADManager Plus. You can implement these recommendations, regardless of whether you choose to deploy the product on-premises or on the cloud. Modify the permissions of ADManager ...
                      • How to integrate ADManager Plus with Splunk

                        This integration empowers you to forward logs from ADManager Plus to your Splunk server for detailed auditing. Steps to configure Splunk server settings in ADManager Plus : Log in to ADManager Plus and navigate to the Admin tab. Under System ...
                      • How to skip MFA for selected technicians

                        Skipping MFA for selected technicians In the Two Factor Authentication tab, click More Options. Check the Skip 2FA for the selected technicians option and select the technicians for whom you would like to skip MFA. Click Save. Re-enrolling MFA for ...
                      • How to integrate ADManager Plus with Azure SQL database

                        ADManager Plus can be integrated with a list of databases to facilitate efficient AD management. This specific integration with Azure SQL database allows administrators to synergistically manage AD objects from their Azure SQL instance itself. ...