Monday, June 27, 2016

Configuring YubiKey / Yubico OATH Token with Microsoft Azure MFA Server

Related blogs:

Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server  - http://portal.sivarajan.com/2016/07/configuring-deepnet-security-safeid.html

Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Microsoft Azure MFA on-premises server supports a time based OATH (OATH – TOTP) third party tokens.  This is an alternative to using the Azure Authenticator Mobile App as an OATH token.  You can see other MFA authentication options in my Azure MFA Server–Authentication Types (Part I) and Azure MFA Server–Authentication Types (Part II) blogs.  The OATH tokens can be added or imported prior to being associated with a user.  Administrators can associate users and tokens in the Multi-Factor Authentication Server  or the User Portal.  Users can associate themselves with an OATH token during User Portal enrollment or using the OATH Token menu option when the User Portal is configured to provide this functionality.    A bulk token import and configuration is also supported by MFA Server .  An administrator can import OATH Token records from an input  file .  The secret keys must be in Base32 format.  This blog provides step-by-step instructions in configuring YubiKey OATH token with Microsoft Azure MFA server

Requirements:

The following are the pre-requirements to complete this configuration. 

  1. Microsoft Azure MFA on-premises server
  2. YubiKey hardware
  3. YubiKey Personalization Tool
  4. YubiCo Authenticator Application

YubiKey Personalization Tool – Installation and Configuration

Microsoft Azure MFA server supports only the OATH TOTP (time-based) tokens.  So you need to make sure that your YubiKey is in Yubico OTP Mode using the YubiKey Personalization Tool. Other configurations are optional for Microsoft Azure MFA server configuration and testing. 

The YubiKey Personalization Tool can be used to program the two configuration slots. Also, it can be used to personalize the YubiKey in the following modes:

  • Yubico OTP
  • OATH-HOTP
  • Static Password
  • Challenge-Response

Download YubiKey Personalization Tool and run yubikey-personalization-gui-3.1.24.exe  file to compete the tool installation. 

  1. Insert YubiKey into the USB port.  You may see the Device Setup windows as shown below.  Complete the drive installation process.  image
  2. Open YubiKey Personalization Tool. Make sure:
    1. YubiKey Personalization Tool has successfully identified your YubiKey. 
    2. image
    3. Yubico OTP displayed as supported method in Features Supported section. 
    4. image
  3. You will see all the current OTP configuration in Yubico OTP tab shown below. I am going to a use the default configuration for this testing. 
  4. image

YubiCo Authenticator Application – Installation and Configuration

Download YubiCo Authenticator Application and run yubioath-desktop-3.0.1-win.exe file to complete the application installation. 

  1. Open YubiCo Authenticator Application
  2. From File menu, select Add option (File –> Add)
  3. image
  4. From the New Credential window:
    1. Enter Credential Name – An identifier or a display name for the credential.
    2. Secret Key – It is a Base32 key. Review this If you are not familiar with supported numbers or characters in Base32 encoding. 
    3. Select Time based (TOTP) option.  Microsoft Azure MFA server supports only the OATH TOTP (time-based) tokens. 
    4. Number of digits – You can select 6 or 8 digits as OATH token length.
    5. image
    6. Require touch -  If you select this option, end user has to touch the YubiKey to generate an OATH token.  User will prompted with the following message:
    7. image
    8. Click OK to save the configuration
    9. image
    10. You will see the newly add account in the Yubico Authenticator window. 
    11. image

Now we have completed the YubiKey account configuration. We can move on to Azure MFA server to configure the OATH token.

Azure MFA Server - Configuration for third Party OATH

Review the following Azure MFA Server Authentication Types  blog if you are not familiar with authentication configuration in Azure MFA Server:

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

To add OATH Token in Azure MFA Server,

  1. Open Multi-Factor Authentication Server UI and Select OATH Token icon.
  2. Click Add option from OATH Token window.
  3. image
  4. Enter your YubiKey token Details
    1. Serial Number – Required.  Enter the YubiKey serial number. This will be in the back of the Yubikey as shown below:
    2. image
    3. Secret Key – Required. This is the Secret Key (Base32) you have configured using the Authentication Application. 
    4. Manufacturer – Optional.  Enter Youbico as the manufacturer.
    5. Model – Optional.  Enter your YubiKey model type. 
    6. Start date – Optional
    7. Expiration date – Optional
    8. Time interval – Required. You can select the default 30 seconds value.  By default, YubiKey changes the 6-8 digit code  every 30 seconds. 
    9. Username:  Select the user for this OATH token.  You manually enter the username or Select User option to identify a user. 
    10. Click OK to complete.  The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.
    11. image
    12. Generate a new OATH from Yubico Authentication app using the imagebutton. 
    13. image
    14. Enter this code in the Synchronize OATH Token window to complete token configuration in MFA Server. 

Note1: MFA server validates the OATH code against the OATH token secret key and synchronizes the OATH token's time if they are valid.  If there are not valid, you will see the following error message:

image

Note2: Azure Multi-Factor Authentication Server supports bulk import of token records by using an input CSV file.   The file must be in a supported format and may be partially or fully encrypted with a password. 

Sample Input File

To perform a bulk import,

  1. Select OATH Token icon and select Import.
  2. Select the input file and click Import.

image_thumb[19]

Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue. 

Unhandled exception has occurred in your application.  If you click Continue, the application will ignore this error and attempt to continue.  If you click Quit, the application will close immediately. 

Could not load file or assembly ‘PfPskcClr, Version=0.0.0.0, Culture=neutral, PublicKey Token=null’ or one of its dependencies.  A strongly-named assembly is required.  (Exception from HRRESULT:0X8013100)

image_thumb[21]

Azure MFA Server – End User Validation Using YubiKey OATH Token

The final step in this process is to validate the YubiKey configuration and authentication experience from an end user perspective. 

To configure OATH token as the authentication type for an end user:

  1. From Multi-Factor Authentication Server UI, Select Users icon
  2. From right pane, open the user properties by double clicking the user object.
  3. This will open User Properties / Edit User  window as shown below.  Make sure that the OATH Token is selected as the authentication type for this test user. 
  4. image
  5. To validate this configuration, select out test user object and from the bottom of the window, select Test option.  
  6. image
  7. User will be prompted for first /primary authentication using a user name and password. Enter the User name and Password for the user, then click Test
  8. image
  9. Then it will prompt you for the secondary authentication.  In this scenario, it the OATH Code.image
  10. To generate a new OATH code, open Yubico Authenticator App and  pressing the imagebutton .  The OATH code will be displayed as shown below:
  11. image
  12. Enter the current OATH code in the OATH Code in the MFA application window.  Click OKimage
  13. You will see the authentication status/result as shown below: 
  14. image

Related blogs:

Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server  - http://portal.sivarajan.com/2016/07/configuring-deepnet-security-safeid.html

Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

0 comments:

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More