NetIQ Advanced Authentication Framework. OATH Authentication Provider User's Guide. Version 5.1.0

Similar documents
NetIQ Advanced Authentication Framework. Smartphone Authentication Provider User's Guide for Windows. Version 5.1.0

NetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0

NetIQ Advanced Authentication Framework - Virtual Desktop Authentication (VDA) Shell. User's Guide. Version 5.1.0

NetIQ Advanced Authentication Framework- Web Service. Installation Guide. Version 5.1.0

NetIQ Advanced Authentication Framework - Extensible Authentication Protocol Server. Installation Guide. Version 5.1.0

NetIQ Advanced Authentication Framework - Virtual Desktop Authentication (VDA) Profile Editor. Administrator's Guide. Version 5.1.

NetIQ Advanced Authentication Framework - Extensible Authentication Protocol Server. Administrator's Guide. Version 5.1.0

NetIQ Advanced Authentication Framework. Flash Drive Authentication Provider Installation Guide. Version 5.1.0

NetIQ Advanced Authentication Framework - Virtual Desktop Authentication (VDA) Shell. Installation Guide. Version 5.1.0

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

NetIQ Advanced Authentication Framework. FIDO U2F Authentication Provider Installation Guide. Version 5.1.0

NetIQ Access Manager - Advanced Authentication Plugin. Installation Guide. Version 5.1.0

DUO SECURITY Integration GUIDE

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

NetIQ Advanced Authentication Framework. Voice Call Server Installation Guide. Version 5.1.0

NetIQ Advanced Authentication Framework - Virtual Desktop Authentication (VDA) Profile Editor. Administrator's Guide. Version 5.1.

NetIQ Advanced Authentication Framework - Citrix XenDesktop Plugin. Installation Guide. Version 5.1.0

Helpdesk Administration Guide Advanced Authentication. Version 6.0

NetIQ Advanced Authentication Framework. Smartphone Authentication Dispatcher Installation Guide. Version 5.1.0

Helpdesk Administration Guide Advanced Authentication. Version 5.6

User Guide Advanced Authentication - Smartphone Applications. Version 5.6

NetIQ Advanced Authentication Framework. Voice Call Authentication Provider Installation Guide. Version 5.1.0

YubiKey Personalization Tool. User's Guide

Device LinkUp Manual. Android

NetIQ Advanced Authentication Framework - Group Policy Templates. Administrator's Guide. Version 5.1.0

Yubico with Centrify for Mac - Deployment Guide

Authenticatr. Two-factor authentication made simple for Windows network environments. Version 0.9 USER GUIDE

Contents. Multi-Factor Authentication Overview. Available MFA Factors

NetIQ Advanced Authentication Framework. Universal Card Authentication Provider Installation Guide. Version 5.1.0

User Guide Advanced Authentication - Smartphone Applications. Version 6.1

RapidIdentity Mobile Guide

The specifications and information in this document are subject to change without notice. Companies, names, and data used

LogMeIn Rescue Getting Started with Two-Step Verification. User Guide

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

Device LinkUp User Manual OS X

Device LinkUP + VIN. Service + Desktop LP Guide RDP

Copyright 2017 Softerra, Ltd. All rights reserved

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

OVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5

Citrix SSO for ios. Page 1 18

OATH-HOTP. Yubico Best Practices Guide. OATH-HOTP: Yubico Best Practices Guide Yubico 2016 Page 1 of 11

Barracuda Networks Android Mobile App and Multi-Factor Authentication

Remote Support Two-Factor Authentication

Bechtel Partner Access User Guide

Meeting the requirements of PCI DSS 3.2 standard to user authentication

SafeNet MobilePASS+ for Android. User Guide

Multi-Factor Authentication User Setup Guide

Deployment User Guide

Remote Process Explorer

Getting started with ActiveSecurity MyLogin

YubiKey Mac Operating System Login Guide

User Guide Online Backup

MFA (Multi-Factor Authentication) Enrollment Guide

MobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents

Defender Desktop Login GrIDsure Token User Guide

User Guide. NetScaler Gateway Access

Privileged Remote Access Two-Factor Authentication

Colligo Engage Outlook App 7.1. Offline Mode - User Guide

CLIQ Web Manager. User Manual. The global leader in door opening solutions V 6.1

Enrolling Devices in Duo

Two-Factor Authentication Guide Bomgar Remote Support

User Guide for Client Remote Access. Version 1.2

How to Integrate. REVE Secure 2FA App. with Dashboard.

Plug-in Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.1

OneKey Mobile App USER GUIDE

DigitalPersona Pro Enterprise

LAB: Configuring LEAP. Learning Objectives

ISA 2006 and OWA 2003 Implementation Guide

Echidna Concepts Guide

External Authentication with Citrix GoToMyPc Corporate Edition Authenticating Users Using SecurAccess Server by SecurEnvoy

H3C Intelligent Management Center v7.3

isupplier Portal Registration & Instructions Last Updated: 22-Aug-17 Level 4 - Public INFRASTRUCTURE MINING & METALS NUCLEAR, SECURITY & ENVIRONMENTAL

EMC White Paper Documentum Client for Outlook (DCO)

Installation Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.0

08 March 2017 NETOP HOST FOR ANDROID USER S GUIDE

YubiKey Smart Card Deployment Guide

Sophos Mobile user help. Product version: 7.1

Soft Token Replacement Guide

How to Secure SSH with Google Two-Factor Authentication

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

Secure Authentication

NetIQ Advanced Authentication Framework- Web Service. Administrator's Guide. Version 5.1.0

Colligo Engage Outlook App 7.1. Connected Mode - User Guide

External Data Connector for SharePoint

Multi-factor authentication enrollment guide for Deloitte practitioners

SecurEnvoy Windows Logon Agent Installation and Admin Guide v9.3 Including support for SecurPassword

Establishing two-factor authentication with Barracuda SSL VPN and HOTPin authentication server from Celestix Networks

SecureLogin 8.7 Application Definition Wizard Administration Guide. December, 2018

Ekran System v.6.1 Troubleshooting

HOTPin Software Instructions. Mac Client

Oracle Enterprise Single Sign-on Logon Manager

SecureAuth IdP Realm Guide

IPHONE DEP REGISTRATION... 4 IPHONE DEP REGISTRATION... 3

SAFETICA INSTALLATION MANUAL

Remote Support Security Provider Integration: RADIUS Server

10ZiG Technology. Thin Desktop Quick Start Guide

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Installation Guide Advanced Authentication - Logon Filter. Version 6.1

Getting Started with Duo Security Two-Factor Authentication (2FA)

Transcription:

NetIQ Advanced Authentication Framework OATH Authentication Provider User's Guide Version 5.1.0

Table of Contents 1 Table of Contents 2 Introduction 3 About This Document 3 OATH Authenticator Overview 4 Managing OATH Authenticator 5 Microsoft Windows 7/Microsoft Windows Server 2008 R2 5 Microsoft Windows Server 2003/2003 R2 8 Microsoft Windows Server 2012 10 Enrolling OATH Authenticator 12 TOTP Enrollment 13 HOTP Enrollment 15 Re-enrolling OATH Authenticator 18 Testing OATH Authenticator 19 Removing OATH Authenticator 21 Troubleshooting 22 Cannot Enroll Authenticator 23 One-Time Password Doesn t Work 24 Index 25 2

Introduction About This Document Purpose of the Document This OATH Authentication Provider User s Guide is intended for all user categories and describes how to use the client part of NetIQ Advanced Authentication Framework solution. In particular, it gives instructions as for how to manage OATH type of authentication. For more general information on NetIQ Advanced Authentication Framework and the authentication software you are about to use, see NetIQ Advanced Authentication Framework Client User s Guide. Information on managing other types of authenticators is given in separate guides. Document Conventions Warning. This sign indicates requirements or restrictions that should be observed to prevent undesirable effects. Important notes. This sign indicates important information you need to know to use the product successfully. Notes. This sign indicates supplementary information you may need in some cases. Tips. This sign indicates recommendations. Terms are italicized, e.g.: Authenticator. Names of GUI elements such as dialogs, menu items, buttons are put in bold type, e.g.: the Logon window. 3

OATH Authenticator Overview The OATH (open authentication) authentication type takes its name from the Initiative for Open Authentication (OATH), which is a collaborative effort of IT industry leaders aimed at providing reference architecture for universal strong authentication across all users and all devices over all networks. Open authentication addresses One Time Password (OTP) based authentication method. OTP-based authentication is intended to act as a bridge between legacy and modern applications. OTP credentials will facilitate integration with applications that rely solely on user passwords. Because end users are already familiar with static passwords, a device- generated password can greatly facilitate the transition to stronger authentication. In OTP-based authentication method, login is performed using an essentially random password each time. The passwords are generated by a device, most commonly a hardware token associated with the user, and so the password is not based on the user s memory. This greatly increases security. TOTP (Time-based One-time Password Algorithm) is a variant of the OTP authentication, where the one-time password changes at frequent intervals (say, every two minutes). Each one-time password is generated by applying a random-looking cryptographic function to a unique series value. In the time-based case, the value is the current time. HOTP (Hmac-based One-Time Password algorithm) is a variant of OTP authentication, where one-time password is valid for an unknown period of time. HOTP authentication relies on a shared secret and a moving factor. Every time a new OTP is generated, the moving factor will be incremented and as a result generated one-time passwords should be different every time. 4

Managing OATH Authenticator In this chapter: Microsoft Windows 7/Microsoft Windows Server 2008 R2 Microsoft Windows Server 2003/2003 R2 Microsoft Windows Server 2012 Microsoft Windows 7/Microsoft Windows Server 2008 R2 Authenticator management options are available in the Authenticators window. The Authentication Wizard window is shown at system start if there are no enrolled authenticators. To open the Authenticators window from Control Panel: In classic view of Control Panel select NetIQ Credentials item. In Control Panel by categories select User Accounts > NetIQ Credentials. 5

To open Authenticators window, user should undertake authorization procedure: 1. In the Authorization window, choose authentication method. 2. Get authenticated with the selected method. 3. Once you are authenticated, page for managing authenticators is opened. 6

7

Microsoft Windows Server 2003/2003 R2 Authenticator management options are available in the Authenticators window. To open the Authenticators window: 1. From your desktop, press [Ctrl]+[Alt]+[Del]. The Windows Security window is displayed. 2. Click Manage and select Authenticators. 3. The Authorization window is displayed. 8

From the Logon method list, select a logon method (an authenticator type or Logon by password). Click Next. To be able to add, re-enroll or remove an authenticator, you should use an authenticator as logon method. After successful authentication the Authenticators window is displayed. 9

Microsoft Windows Server 2012 Authenticator management options are available in the Authenticators window. The Authentication Wizard window is shown at system start if there are no enrolled authenticators. To open the Authenticators, in the Search menu select Apps > NetIQ Advanced Authentication Framework... To open Authenticators window, user must undertake authorization procedure: 1. In the Authorization window, choose authentication method. If there are no enrolled authenticators, then the only way to get authorized is By password. Otherwise, authentication by password will make enrollment unavailable (i.e. the button Enroll, Re-enroll and Remove will be greyed out). 10

2. Get authenticated with the selected method. 3. Once you are authenticated page for managing authenticators is opened. 11

Enrolling OATH Authenticator This operation may be forbidden by NetIQ administrator. In such cases the Enroll button in the Authenticators window is greyed out. NetIQ administrator defines the maximum number of authenticators you can have which means you cannot enroll any more authenticators once you have reached the limit. To enroll an OATH authenticator: 1. Click the Enroll button in the Authenticators window. 2. When the Enroll Authenticator window appears, select OATH OTP from the Type dropdown menu, click Enroll. 12

3. In the OATH - Enrolling window, select the required type of OTP authentication: TOTP HOTP TOTP Enrollment 1. Enter seed to the Seed text field. Use one of the following methods: click the Generate button for automatic seed generation; type it manually using the stated symbols; click the Load from file button and select the required.xml or.pskc file. The seed should consist of 40 hex-digits. 2. In the OTP length box, select the required OTP length. The value should be between 4 and 8. 3. Leave the Token ID text field empty. 4. Scan the QR code containing the template data with NetIQ Smartphone Authenticator. Tap the Scan QR to load config button. Click OK. 13

5. Control is passed to the Enroll Authenticator window. Entering commentary is optional. Click Save. Entering and editing of comments may be forbidden by the system administrator. 6. A new authenticator is created and is visible in the list of authenticators in the Authenticators window. 14

HOTP Enrollment It is easier and more convenient to enroll OATH HOTP authenticator using NetIQ Web Enrollment Wizard. Contact NetIQ administrator for assistance. 1. Enter the Secret Key of your token to the Seed text field. The seed should consist of 40 hex-digits. 2. In the OTP length box, select OTP length according to the token's settings. 3. Enter the token ID to the Token ID text field. To determine the Token ID for YubiKey, it is required to open Notepad and press the YubiKey button 3-4 times. The common beginning for all input values is the Token ID. OTP is the last 6 or 8 digits of the input value. 15

4. Click OK. 5. Enter 3 different OTP to synchronize HOTP counter with your device. Click OK. If there is specified the wrong seed or token ID, the following error will be displayed: "Failed to find correct HOTP counter". 6. Control is passed to the Enroll Authenticator window. Entering commentary is optional. Click Save. 16

Entering and editing of comments may be forbidden by the system administrator. 7. A new authenticator is created and is visible in the list of authenticators in the Authenticators window. 17

Re-enrolling OATH Authenticator This operation may be forbidden by NetIQ administrator. In such cases the Re-Enroll button in the Authenticators window is greyed out. In order to re-enroll a created OATH authenticator: 1. Select OATH OTP in the list of authenticators, click Re-Enroll in the Authenticators window. 2. Click Re-Enroll in the Re-Enroll Authenticator window. 3. Fulfill the steps as during your initial enrollment process. 18

Testing OATH Authenticator To test a created OATH authenticator: 1. Click Test in the Authenticators window. Testing can also be performed in the Enroll authenticator and Re-enroll authenticator windows. Instead of standard passwords, 6-digits one-time password is used. 2. For TOTP OTP, enter One-Time Password that you receive from NetIQ Smartphone Authenticator. Click OK. For HOTP OTP, enter One-Time Password that is automatically generated by smartphone or hardware token. 19

For YubiKey, insert the token into the port and press its button. 3. When a confirmation message saying: Authenticators match appears, click OK. 4. When authenticators do not match an error message appears. Click OK. 20

Removing OATH Authenticator This operation may be forbidden by the NetIQ administrator. In such cases the Remove button in the Authenticators window is greyed out. If you are allowed to remove your authenticator, don t do this just because you don't like your current authenticator. Instead, you can re-enroll it. Do not remove the only authenticator you have. If you have no authenticators, you can log on with your password only. If a random password was generated for your account and you have removed the only authenticator, you cannot log on in any way. NetIQ Advanced Authentication Framework prevents you from accidentally removing your only authenticator by showing the following dialog: If you removed the only authenticator and do not know your password, contact the system administrator. 21

Troubleshooting In this chapter: Cannot Enroll Authenticator One-Time Password Doesn't Work This chapter provides solutions for known issues. If you encounter any problems that are not listed here, please contact the technical support service. Before contacting the support service: We strongly request that you give a possibly detailed description of your problem to the support technicians and attach logs from the faulty computer. To obtain the logs, use the LogCollector.exe tool (\Tools\LogCollector). Follow the steps below: 1. Copy LogCollector.exe to the local C:\ disk on the faulty computer. The tool may not work from a network drive. 2. Run LogCollector.exe. 3. In the dialog that opens, click Enable all. As a result, all items in the Debugged components section are selected. Close the dialog. 4. Reproduce the steps that caused the problem. 5. Run LogCollector.exe. again and click Save logs. Save the logs to archive. 22

Cannot Enroll Authenticator Description: Authenticator is not enrolled because: a. The Type list in the Enroll Authenticators window is empty or OATH authenticator type is absent. b. The Enroll button in the Authenticators window is greyed out. Cause: a. The OATH authenticator type is not supported (no proper authentication provider is installed). b. The operation is forbidden or you have reached the limit on authenticators number. Solution: a. Contact NetIQ administrator. b. No authenticators can be added. For more information, contact NetIQ administrator. 23

One-Time Password Doesn t Work Description: The generated one-time password doesn t work. Cause: a. Group policy is set on the other password generating period. b. The password time is out. c. Workstation time differs from time of Authenticore Server more than N minutes; N depends on TOTP checking window setting. Solution: a. Check group policy settings and make changes in your mobile device token application. b. Try another password. c. Synchronize Workstation and Server time. 24

Index A Authentication 1, 3-5, 10, 21 Authenticator 3, 5, 8, 10, 13, 16, 23 C Client 3 Control 5, 14, 16 E Enroll 10, 14, 18-19, 22-23 G Generate 13 K Key 15 L Logon 3, 9 M Manage 8 Microsoft Windows Server 2003 5, 8 Microsoft Windows Server 2012 5, 10 O OATH 1, 3-5, 12, 15, 18-19, 21, 23 One-time Password 4 OTP 4, 12-13, 18 P Password 4, 19, 22, 24 R Re-enroll 19 Remove 10, 21 25

S Server 24 T Token 13, 15 TOTP 4, 13, 19, 24 U User 5 W Windows 8 Windows 7 5 Workstation 24 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback