Friday, October 13, 2017

Configuring YubiKey / Yubico OATH Token with Microsoft Azure MFA Server

Related blogs:
Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server  -
Azure MFA with pGina and Local Authentication -
Azure MFA Server –Authentication Types (Part I) -
Azure MFA Server –Authentication Types (Part II) -
Microsoft Azure MFA on-premises server supports a time based OATH (OATH – TOTP) third party tokens.  This is an alternative to using the Azure Authenticator Mobile App as an OATH token.  You can see other MFA authentication options in my Azure MFA Server–Authentication Types (Part I) and Azure MFA Server–Authentication Types (Part II) blogs.  The OATH tokens can be added or imported prior to being associated with a user.  Administrators can associate users and tokens in the Multi-Factor Authentication Server  or the User Portal.  Users can associate themselves with an OATH token during User Portal enrollment or using the OATH Token menu option when the User Portal is configured to provide this functionality.    A bulk token import and configuration is also supported by MFA Server .  An administrator can import OATH Token records from an input  file .  The secret keys must be in Base32 format.  This blog provides step-by-step instructions in configuring YubiKey OATH token with Microsoft Azure MFA server
The following are the pre-requirements to complete this configuration. 
  1. Microsoft Azure MFA on-premises server
  2. YubiKey hardware
  3. YubiKey Personalization Tool
  4. YubiCo Authenticator Application
YubiKey Personalization Tool – Installation and Configuration
Microsoft Azure MFA server supports only the OATH TOTP (time-based) tokens.  So you need to make sure that your YubiKey is in Yubico OTP Mode using the YubiKey Personalization Tool. Other configurations are optional for Microsoft Azure MFA server configuration and testing. 
The YubiKey Personalization Tool can be used to program the two configuration slots. Also, it can be used to personalize the YubiKey in the following modes:
  • Yubico OTP
  • Static Password
  • Challenge-Response
Download YubiKey Personalization Tool and run yubikey-personalization-gui-3.1.24.exe  file to compete the tool installation. 
  1. Insert YubiKey into the USB port.  You may see the Device Setup windows as shown below.  Complete the drive installation process.  image
  2. Open YubiKey Personalization Tool. Make sure:
    1. YubiKey Personalization Tool has successfully identified your YubiKey. 
    2. image
    3. Yubico OTP displayed as supported method in Features Supported section. 
    4. image
  3. You will see all the current OTP configuration in Yubico OTP tab shown below. I am going to a use the default configuration for this testing. 
  4. image
YubiCo Authenticator Application – Installation and Configuration
Download YubiCo Authenticator Application and run yubioath-desktop-3.0.1-win.exe file to complete the application installation. 
  1. Open YubiCo Authenticator Application
  2. From File menu, select Add option (File –> Add)
  3. image
  4. From the New Credential window:
    1. Enter Credential Name – An identifier or a display name for the credential.
    2. Secret Key – It is a Base32 key. Review this If you are not familiar with supported numbers or characters in Base32 encoding. 
    3. Select Time based (TOTP) option.  Microsoft Azure MFA server supports only the OATH TOTP (time-based)tokens. 
    4. Number of digits – You can select 6 or 8 digits as OATH token length.
    5. image
    6. Require touch -  If you select this option, end user has to touch the YubiKey to generate an OATH token.  User will prompted with the following message:
    7. image
    8. Click OK to save the configuration
    9. image
    10. You will see the newly add account in the Yubico Authenticator window. 
    11. image
Now we have completed the YubiKey account configuration. We can move on to Azure MFA server to configure the OATH token.
Azure MFA Server - Configuration for third Party OATH
Review the following Azure MFA Server Authentication Types  blog if you are not familiar with authentication configuration in Azure MFA Server:
Azure MFA Server –Authentication Types (Part I) -
Azure MFA Server –Authentication Types (Part II) -
To add OATH Token in Azure MFA Server,
  1. Open Multi-Factor Authentication Server UI and Select OATH Token icon.
  2. Click Add option from OATH Token window.
  3. image
  4. Enter your YubiKey token Details
    1. Serial Number – Required.  Enter the YubiKey serial number. This will be in the back of the Yubikey as shown below:
    2. image
    3. Secret Key – Required. This is the Secret Key (Base32) you have configured using the Authentication Application. 
    4. Manufacturer – Optional.  Enter Youbico as the manufacturer.
    5. Model – Optional.  Enter your YubiKey model type. 
    6. Start date – Optional
    7. Expiration date – Optional
    8. Time interval – Required. You can select the default 30 seconds value.  By default, YubiKey changes the 6-8 digit code  every 30 seconds. 
    9. Username:  Select the user for this OATH token.  You manually enter the username or Select User option to identify a user. 
    10. Click OK to complete.  The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.
    11. image
    12. Generate a new OATH from Yubico Authentication app using the imagebutton. 
    13. image
    14. Enter this code in the Synchronize OATH Token window to complete token configuration in MFA Server. 
Note1: MFA server validates the OATH code against the OATH token secret key and synchronizes the OATH token's time if they are valid.  If there are not valid, you will see the following error message:
Note2: Azure Multi-Factor Authentication Server supports bulk import of token records by using an input CSV file.   The file must be in a supported format and may be partially or fully encrypted with a password. 
To perform a bulk import,
  1. Select OATH Token icon and select Import.
  2. Select the input file and click Import.
Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue. 
Unhandled exception has occurred in your application.  If you click Continue, the application will ignore this error and attempt to continue.  If you click Quit, the application will close immediately. 
Could not load file or assembly ‘PfPskcClr, Version=, Culture=neutral, PublicKey Token=null’ or one of its dependencies.  A strongly-named assembly is required.  (Exception from HRRESULT:0X8013100) 
Azure MFA Server – End User Validation Using YubiKey OATH Token
The final step in this process is to validate the YubiKey configuration and authentication experience from an end user perspective. 
To configure OATH token as the authentication type for an end user:
  1. From Multi-Factor Authentication Server UI, Select Users icon
  2. From right pane, open the user properties by double clicking the user object.
  3. This will open User Properties / Edit User  window as shown below.  Make sure that the OATH Token is selected as the authentication type for this test user. 
  4. image
  5. To validate this configuration, select out test user object and from the bottom of the window, select Test option.  
  6. image
  7. User will be prompted for first /primary authentication using a user name and password. Enter the User name and Password for the user, then click Test
  8. image
  9. Then it will prompt you for the secondary authentication.  In this scenario, it the OATH Code.image
  10. To generate a new OATH code, open Yubico Authenticator App and  pressing the imagebutton .  The OATH code will be displayed as shown below:
  11. image
  12. Enter the current OATH code in the OATH Code in the MFA application window.  Click OK.  image
  13. You will see the authentication status/result as shown below: 
  14. image
Related blogs:
Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server  -
Azure MFA with pGina and Local Authentication -
Azure MFA Server –Authentication Types (Part I) -
Azure MFA Server –Authentication Types (Part II) -


Fancy in writing research paper? How skilled are you? Take a look at this tutorial, maybe you'll learn something new!

Een zeer stijlvol replica rolex horloge, dit is een prachtig geschenk. Het ziet er zeer solide uit, het heeft een bepaald gewicht.Tips voor het kopen van een replica hier,Er zijn veel horloges met replica's van beroemde designermerken waar we zeker van zijn dat het van hoge kwaliteit en uiterlijk is.
replica rolex horloges
rolex horloges kopiƫren
nep rolex horloge

swiss replica watches, combining elegant style and cutting-edge technology, a variety of styles of replica Chopard watches, the pointer walks between your exclusive taste style.

I think that you must visit the website about essay writing and education. There you will find some useful links.

I am sure such information is unusual and specific. But I am interested in such sphere . Some of my works you check here excel homework help .

Hello! I have got cool news for people who look for a wriitng help. Here is one cool wriitng service that is named essayswriters com This service can help you with the writing and rewriting papers on any kinds.

The day passed quickly and I realized I couldn't forget
geometry dash
basketball legends

Accounting paper writing services are essential and they have become very popular for those seeking accounting coursework writing services since most of them seek Accounting Writing Services.

Thanks for sharing such an Amazing information, I Couldn't leave without reading your blog. I have read another good blog, I think you have read it too. click here AVG klantendienst

Thanks for sharing such an Amazing information, I Couldn't leave without reading your blog. I have read another good blog, I think you have read it too. click here panda klantendienst

I am really enjoying your site.It’s simple, yet effective, thank you for this article.Now I have to share some information about How To Fix “mcafee Antivirus” problem. If you have any problem rearding Mcafee so click on this site:mcafee antivirus nummer belgie

I like your blog.You have done Excellent work. I appreciate.Here I want to inform all of you if you are looking for to resolve your Norton Antivirus problems,so you are in right place.we always available for your support.So whenever you need any help so just click on this link- norton Antivirus ondersteuningsnummer

I’m really impressed with your writing skills and also with the layout on your blog it's Very interesting to read.Now Here i would llike to share some information about HP Printer If you are facing any problem relate to your HP Printer's we wil resolve your queries at sam time.For any help please visit on our website:hp printer contact belgie

Excellent post. I certainly appreciate this website.Keep writing.well here if you want to Overcome the issues of Avast antivirus.Pick the Best Assistance over our site to resolve your queries.Visit us :avast antivirus ondersteuning

hi, your post is very helpful for me. Finally, I found exactly what i want. If need information regarding printers then you can visit our site Xerox Printer ondersteuning for help.

hi, Your post is very helpful for me, If you want to know more about antivirus then you can visit our site Canon Printer contacteren for help.

hi, Your post is very helpful for me,finally i got exactly what I want. If you want to know more about antivirus then you can visit our site Bitdefender belgie help.

Commenting as
Comment as:

hi, Your post is very helpful for me, finally i found exactly what i want , If you want to know more about antivirus then you can visit our site Kaspersky antivirus nummer for help.

Thanks for sharing such an Amazing information, I Couldn't leave without reading your blog. I have read another good blog, I think you have read it too. click here Trend Micro klantenservice bellen

very interesting post.this is my first time visit here.i found so many interesting stuff in your blog especially its discussion..thanks for the post!
Online Tutors

it’s really nice and meaningful. it’s really cool blog. Linking is very useful have really helped lots of people who visit blog and provide them useful information.
SPSS Data Analysis Help

I thank the author for this extensive instruction on configuring yubikey. I wonder if it will be possible to somehow decrypt files encrypted with this key, if, for example, I lose the physical media of yubikey? By the way, on instagram you can find many accounts that publish posts with similar instructions. I think if you also post this instruction on your Instagram account, it will get a bunch of likes, since according to my observations, very similar posts always have at least 24 thousand likes. I am sure their authors resort to the services of to buy likes.

Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More