This post has already been read 18030 times!
Previous Articles in this series
Part 2 – Citrix FAS and StoreFront
Part 3 – NetScaler Unified Gateway and NetScaler ADFS Proxy
In Part 4 – Microsoft Azure Multi Factor Authentication I am going to walk you through setting up Microsoft Azure MFA and integrating it with your ADFS infrastructure to provide secure 2 factor authentication to your apps and desktops.
Lets get going..
First thing you will need to do is log into your “old” Microsoft Azure Portal: https://manage.windowsazure.com
On the left navigate down to Active Directory
At the top click on Multi Factor Auth Providers
Then on the bottom of the screen click to create a new provider if one does not already exist
Give it a name, pick your licensing method and select not to link a directory unless you have one you are wanting to link in
Once created you should see your provider listed and active
At the bottom you can now click on Manage – this will open up the MFA management portal
Once in the new portal click on Downloads
Then download the MFA Server software and save it to a central location you can access from your ADFS Server
NOTE: The MFA Server software is being installed on the ADFS Server we built earlier in this series. We can push it onto a seperate server but for the purpose of this blog series and simplicity I will put it on the same server as ADFS
Log into the ADFS Server and launch the installer you downloaded earlier
You will be prompted to install the pre-reqs
Let these run and make sure that they install correctly
Next pick the destination you want MFA installed to
Click next and wait for the install to complete
The setup will prompt you for the first run wizard – click Next and you will be asked for an activation e-mail address and password.
Switch back to your MFA management portal and click on Generate Credentials
Copy and paste these into the MFA First Run Wizard to activate the server
Wait for this to complete
Next you will be asked for the group you wish to add the MFA Server to. In this example I am going to create a new group – however you may wish to add this to your existing MFA Server group
Select to enable replication between servers, this will enable config replication should you add servers to the group at a later date for high availability
Leave Active Directory and Certificates selected
Add the host MFA Server to the Phone Factor Admins group in Active Directory – you will need to be logged into the ADFS Server as a user that has the rights to perform this action
Click next to generate the self signed certificates to enable cert based replication
Select RADIUS as a MFA Provider
Enter the SNIP for your NetScaler and put in a Complex Shared Key
Select Windows Domain as the RADIUS Target
Click Next
Then reboot to complete the first run configuration
Once the server is back up and running open up the Azure MFA Server Config Client and if you select the status option on the right you should see your new server Online and Running and listed as the Master
Next you will nee to add the users you want to be able to use the MFA Service – do do this head over the the users section
Click to import a user from the Active Directory – find the users you wish to use and select import
NOTE: If the user does not have a phone number present in their Active Directory account MFA will import the user but they will be disabled and not able to use MFA
Click to edit the user
Make sure the user has a phone number and that they are enabled
Once enablked click the user and click on test user
Enter the password
Check your phone and follow the voice prompts to complete your authentication
Check for a successful authentication
Next we need to install the ADFS Connector for Azure MFA. Head over to the ADFS section and click on install ADFS Adapter once you have selected the options you want available for your users. I normally disable allow self enrolment (although not shown below as I forgot in this occasion!)
Click Next to start the install
Wait for it to complete successfully
Next we need to enable this within the ADFS Console – open it up and navigate to Authentication Policies
On the right you will see the Multi Factor Authentication Options. Click on Edit
Enable MFA for BOTH internal and External connections and select the Azure Multi Factor Authentication Server
NOTE: Will will be looking at disabling this for internal users and enabling SSO in the next post in this series
That’s it – our ADFS Service should now use Azure MFA for ALL authentications
Lets test internally
Navigate to your Unified Gateway
Enter Credentials
Answer Phone Call and complete authentication
Apps and Desktops Available
Now for External Testing
Nagivate to your Unified Gateway and enter Credentials (NOTE the different login prompts)
Complete the authentication using the phone
Apps and Desktop available!
So, that’s it. Next we will be looking at providing content aware login for internal and external access as well as providing SSO for internal resources.
Part 5 – Context Aware Logins – Single Factor Internal and MFA External
Laters,
b@m
Pingback: Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 4
We currently have MFA Server configured with RADIUS with our NetScaler. This is working great and user get MFA challenge when logging into Citrix.
Now we want to intergrate MFA Server with our ADFS server, by installing the ADFS adapter.
Question I have is, do users het 2 MFA challenges ? One when logging into Citrix (radius) and when they go Office 365 via ADFS (with ADFS MFA Adapeter) do they get a second MFA challenge?
So does MFA Server issue one MFA token that can be used across RADIUS and ADFS (adapter) MFA authentication?