Multifactor Authentication Installation and Configuration Guide Software Version 5.0.0.0 General Information: info@cionsystems.com Online Support: support@cionsystems.com
2017 CionSystems Inc. ALL RIGHTS RESERVED. This guide may not be reproduced or transmitted in part or in whole by any means, electronic or mechanical, including photo copying and recording for any purpose other than the purchaser's use under the licensing agreement, without the written permission of CionSystems Inc. The software application in this guide is provided under a software license (EULA) or non-disclosure agreement. This product may only be used in accordance with the terms of the applicable licensing agreement. This guide contains proprietary information protected by copyright. For questions regarding the use of this material and product, contact us at: CionSystems Inc. 6640 185 th Ave NE Redmond, WA-98052, USA http://www.cionsystems.com Phone: +1.425.605.5325 Trademarks CionSystems, CionSystems Inc., the CionSystems Inc. logo, CionSystems Enterprise Self-Service and two factor authentication are trademarks of CionSystems. Other trademarks and registered trademarks used in this guide are property of their respective owners. 1 P a g e
Table of Contents Introduction... 3 Prerequisites... 3 System Requirements... 3 Installation of Enterprise Self-Service Portal... 4 Configuring database for Enterprise Self-Service Portal... 7 Configuring Enterprise Self-Service Portal... 10 Configuration of Domain... 11 Configuring SMTP and SMS settings:... 12 Create User Policy... 13 Create User... 14 User Registration... 15 Self-Extractor creation steps for CionSystems Multifactor... 18 1.By using 7-Zip file archiver... 18 Steps for x64 self-extractor... 18 2.By using IExpress... 21 IExpress... 21 Prerequisites... 21 IExpress Wizard... 21 User Login... 33 Installing Multifactor... 34 How to Use... 39 Update Off-Line Configuration... 42 Update Unlock Key... 43 2 P a g e
Introduction Your Laptop/PC is the key to many things you do on a day to day basis. It's important that only you have the ability to access your device, update your device and access the data you store. CionMFA is a feature you can use to keep your personal information as secure as possible. Multi Factor Authentication is an additional security feature for your Windows Machines that's designed to prevent anyone from accessing or using your computer, even if they know your password. It requires you to verify your identity using first factor i.e. your username and password and second factor which only you knows or you have, it can be Your USB disk or OTP in send on your mobile or email address and security questions which only you knows Prerequisites Ensure that you have installed and configured Enterprise Self-Service. Add the domain and Office365 domain to Enterprise Self-Service. For more information about Enterprise Self-Service please refer to the product quick start guide. System Requirements CionSystems Enterprise Self-Service Requirements: 8GB RAM 50 MB of disk space. Web Browser IE 5.5 or higher. Windows Server 2000, 2003, 2008, 2008R2, 2012, 2012R2, 2016 IIS server 5.1 or higher. Microsoft.NET 4.0 Framework. Optional - Access to Exchange Server 2003, Exchange Server 2007 or higher. Access to Windows Active Directory (2000, 2003, 2008, 2012, 2016). SQL Server 2008 or higher Full or Express Edition. Windows Installer 3.1. Optional - For exchange 2007(or higher) support, please install Exchange 2007 (or higher) management tools on your system. 3 P a g e
Installation of Enterprise Self-Service Portal The Enterprise Self-Service Portal installation process is as follows: 1. Open the file where "EnterpriseSelfServicePortal.msi" was saved. 2. Double click on EnterpriseSelfServicePortal.msi file Note: You will have to choose Run as administrator on a user control enabled system. 3. Click Next 4 P a g e
4. Click Next 5. Select I Agree and click Next 5 P a g e
6. Confirm the installation and click Next 6 P a g e
7. Provide Username and Password and click OK Configuring database for Enterprise Self-Service Portal 8. SQL Server Configuration pop up window appears, if you are installing the application for the first time then click Create New Database. In Configuration Details, you can select SQL Authentication or Windows Authentication. Note: To use Use Existing Database radio button, AD_SELF_SERVICE database should be already exist in the selected SQL database server If AD_SELF_SERVICE database already exist in the selected SQL database server and if you choose Create New Database radio button, then old database will be deleted and new database will be created. 7 P a g e
For SQL Authentication, enter SQL database server name, select SQL Authentication, and enter Login and Password details. Enter valid details and click Test Connection. If Test Connection displays Connected Successfully message, then click Next. For Windows Authentication, enter SQL database server name, select Windows Authentication, here Login and Password will be grayed out. Enter valid details and click Test Connection. If Test Connection displays Connected Successfully message, then click Next. 8 P a g e
9. Click Close. Installation completed successfully. 9 P a g e
Configuring Enterprise Self-Service Portal Admin configures the Enterprise Self-Service Portal, audit, customize the portals, manage users, and delegate authority via the Administrative Portal. 1. Click windows Start button>all Programs>Enterprise Self-Service Portal >Enterprise Self-Service Portal icon. (OR) Click Enterprise Self-Service Portal icon on desktop. Figure: Login page in ESSP for Admin 2. The login screen will open in the default web browser. To login to the application for the first time; Enter admin in the User Name dialogue box Enter admin in the Password dialogue box Note: It is recommended that user name and password should be changed after the application has been launched 10 P a g e
Configuration of Domain Enter all required domain details and configure the domain. a. Enter Domain Controller name b. Domain name c. Domain User name d. Domain Password Click Fetch Figure: Domain configuration in ESSP Select one controller as primary and click Save, domain will be added. 11 P a g e
Configuring SMTP and SMS settings: To receive automated e-mail notifications and alerts from the Enterprise Self-Service application, these settings must be configured properly. Fill in the fully qualified domain name or IP address of the SMTP server ( Mail Server ) and the sender e-mail address ( From E-mail Address ) as indicated in below figure. Figure: SMTP and SMS settings in ESSP 12 P a g e
Create User Policy To create user policy, go to Customization Click User Policy Click Create Enter Policy name Select OU Select the policies that you want to configure Click Save Figure: User Policy creation in ESSP 13 P a g e
Create User For user creation, go to User Management tab, click Create User link Figure: User creation in ESSP Fill the details, click Create button, user will be created successfully. 14 P a g e
User Registration For user registration, go to User Login page, click Register User tab. Figure: User Login page in ESSP 1. Provide Username and Password and click OK, an email will be sent to user specified email address 15 P a g e
2. Then user will receive a mail with security PIN Copy the secret code to validate registration and click on the link Enterprise Self-Service Portal 3. Copy and paste the PIN and click Ok. 16 P a g e
Figure: User security questions configuration in ESSP 4. Now user has to configure the Selectable Questions & Answers (Challenging Questions) and click Save. 5. You should see a message that says User registered Successfully. Click Ok 17 P a g e
Self-Extractor creation steps for CionSystems Multifactor As an admin, you have to create a MultiFactorAuthInstaller.exe file from its.msi file. We can create installer in two ways: 1. By using 7-Zip file archiver 2. By using IExpress tool 1. By using 7-Zip file archiver Install 7-Zip file archiver tool on server machine where the Enterprise Self-Service portal is installed. You will find its setup file in 7zip_setup folder. After installation, unzip the contents of SelfExtractor.zip file to a location (Eg: D:\SelfExtractor ). After unzipping, you can see the following files: o o o 7zS.sfx config_x64.txt CreateSelfExtractor_x64.bat Now copy the MultiFactorAuthInstaller_x64.msi file to the same location D:\SelfExtractor Steps for x64 self-extractor Right click on MultiFactorAuthInstaller_x64.msi select 7-Zip click Add to archive 18 P a g e
Keep the default options and press OK This will create a file with the name MultiFactorAuthInstaller_x64.7z in the same location (D:\SelfExtractor) Now open config_x64.txt file either in Notepad or in Notepad++ Look for the msi file name, it should be exactly same as the msi file (MultiFactorAuthInstaller_x64.msi), look for SERVICEADDRESS and change the ip value in address with ip value of the server where the Enterprise Self-Service Portal is installed http://192.168.0.197/adselfservice/services/userauthenticationservice.asmx 19 P a g e
Now open the CreateSelfExtractor_x64.bat file in Notepad or in Notepad++, the first parameter MultiFactorAuthInstaller_x64.7z is the input file for which installer needs to be created, the second one is output of this i.e. installer.exe file (MultiFactorAuthInstaller_x64.exe), the output name can be changed to any name of your choice. Double click on CreateSelfExtractor_x64.bat file You should see MultiFactorAuthInstaller_x64.exe in the location D:\SelfExtractor Now copy the installer MultiFactorAuthInstaller_x64.exe from the created location and paste/replace in the path: C:\inetpub\wwwroot\ADSelfService\Temp Changes will take effect after restart the IIS (Internet Information Services). To restart the IIS, open command prompt in administrator mode, type IISReset and press Enter. 20 P a g e
2. By using IExpress By using IExpress tool you can create EXE format installer executable file from MSI setup file to release MultiFactorAuthInstaller in standard EXE installer setup format. IExpress IExpress is a Microsoft tool that is included in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows 8. It uses a Self-Extraction Directive (.SED) file to store information about your package. When you run the IExpress Wizard, you can start with an existing.sed file or create a new one by using the wizard. The.SED file contains information and instructions about the setup package. Prerequisites Use Windows 8.1 or Windows 7/10 machine for creating self-extractor. Also, for 32 bit, use 32-bit machine and for 64 bit, use 64-bit machine. IExpress Wizard 1. In search box type iexpress, select iexpress.exe, right click on it and choose Run as administrator. IExpress Wizard will be started with the below screen. 2. Select Create new Self-Extraction Directive file option and click Next 21 P a g e
3. Select Extract files and run an installation command option and click Next 4. In the text box enter CionSystems Multifactor, click Next 22 P a g e
5. Select Prompt user with option and enter "Do you want to install CionSystems Multifactor?" in the text box. Click Next 6. Select Do not display a license option and click Next 23 P a g e
7. Click Add button, a dialog box for file selection will come. Browse to location where MultiFactorAuthInstaller.msi file is located and select the same. For x64 bit, select 64-bit version of msi and for x86, select 32-bit version of msi. In this case for example, MultiFactorAuthInstaller_x64.msi is selected. Click Open button. 24 P a g e
8. Click Next 9. In the Install Program text box, enter the following text (which is in double quotes marked with yellow color) 25 P a g e
For x64: ESSP Url: msiexec.exe /imultifactorauthinstaller_x64.msi SERVICEADDRESS=http://192.168.0.197/ADSelfService/Services/UserAuthenticationService.asmx LOCALPORTNO=9002 Note: Enter the text without double quotes In the above text, replace the ip and port values (which are marked with red circles) with ip and port values of the server where the Enterprise Self- Service Portal is installed. If the assigned port is being used by some other application on the machine, setup will automatically pickup a random port which is open. 10. Keep the default Post Install Command value as <None> and click Next 26 P a g e
11. Keep the Default (recommended) option selected and click Next 12. Keep the default No Message option selected and click Next 27 P a g e
13. Click Browse button. A file dialog box will open 28 P a g e
14. Go to location where you want to store self-extractor. In this case e.g. I kept the same location where.msi file are placed. Also in file name, give the file name of self-extractor. I have given the same name as msi MultiFactorAuthInstaller_x64 and then click Save button. 15. Select the checkbox Store files using Long File Name inside Package 16. Click Yes on popup dialog box. 17. Click Next 29 P a g e
18. Select No restart from the option list, click Next 19. Keep the default Save Self Extraction Directive (SED) file option selected and click Next 30 P a g e
20. Click Next 21. If the process is successful, self-extractor will be created in the location selected at step 14. 31 P a g e
22. Click Finish 23. Now copy the installer from the created location and replace in the following path: C:\inetpub\wwwroot\ADSelfService\Temp 24. Changes will take effect after restart the IIS (Internet Information Services). To restart the IIS, open command prompt in administrator mode, type IISReset and press Enter. 32 P a g e
User Login After restarting the IIS, need to download and install the installer MultiFactorAuthInstaller.exe 1. Take one domain joined machine which is joined with a domain controller where the Enterprise Self- Service portal is installed 2. Now access the url of Enterprise Self-Service Portal which is installed on domain controller http://192.168.0.197/adselfservice/frmuserlogin.aspx 3. Login with Username and Password Figure: User Self Update page in ESSP 4. After login, click on Install Credential Provider link 5. Installer will be downloaded. 33 P a g e
Installing Multifactor The Multifactor Authentication installation process is as follows: 1. Double click on installer 2. Click on Run 3. Click on Yes on below pop up dialog box. 4. Multif-Factor Auth For All setup wizard will be started 5. Click Next 34 P a g e
6. Select the checkbox I accept the terms in the License Agreement and click Next 7. If you want offline support, select Yes 35 P a g e
8. If you don t want offline support, then select No and click Next 9. If you select Yes, Offline support configuration window appears. The default key update is 7 days; you can enter 7 to 30 days. You will need USB disk at the end of the installation to store offline key in USB disk. Click Next 36 P a g e
10. Click Install 11. Click Finish 37 P a g e
12. Immediately a popup will occur. To generate offline key click Yes 13. Select the USB disk to generate the key 14. It will show the message Your unlock key has been generated and stored in USB disk successfully 15. Click on Close button 38 P a g e
How to Use 1. After Installation of Multifactor in your system, restart your system or lock your system (Ctrl+Alt+Del). 2. Before login to your system, remove USB disk from port. 3. Now, login to your system by entering username and password. After successfully authenticating your username and password, you will get the following options to login. a. USB Key (Support offline is set to Yes during installation) b. Send OTP to Email c. Send OTP to Mobile d. Answer Security Questions 39 P a g e
Figure: Multifactor authentication with USB Key If you choose the USB Key option then it s ask to attach USB disk into your machine and click on arrow to login. This option also works when no network connection. Figure: Multifactor authentication with Send OTP to Email If you choose the Send OTP to Email option then OTP will be sent to your Email Id. 40 P a g e
Figure: Multifactor authentication with Send OTP to Mobile If you choose the Send OTP to Mobile option then OTP will be sent to your mobile. Figure: Multifactor authentication with Answer Security Questions If you choose the Answer Security Questions option then answer your security questions. 41 P a g e
Update Off-Line Configuration Steps to update the offline configuration settings are as follows: 1. Click Show hidden icons on the task bar and select CionSystems Multi-Factor Auth For All. 2. Right click on CionSystems Multi-Factor Auth For All and select Update Off-Line Configuration. 42 P a g e
Figure: Update offline configuration in Multifactor 3. Update offline configuration window appears. Select Is offline support required check box and enter the Key Expire Time between 7 to 30 days. Click Update 4. Click Close Update Unlock Key Steps to update the unlock key are as follows: 1. Click Show hidden icons on the task bar and select CionSystems Multi-Factor Auth For All 2. Right click on CionSystems Multi-Factor Auth For All and select Update Unlock Key. 43 P a g e
Figure: Update unlock key in Multifactor 3. Attach the USB disk to your machine and click Update Key button. 4. It will show the message Unlock key has been updated successfully, finally click on Close button. 44 P a g e
Contact Notes: For technical support or feature requests, please contact us at Support@CionSystems.com or 425.605.5325 For sales or other business inquiries, we can be reached at Sales@CionSystems.com or 425.605.5325 If you d like to view a complete list of our Active Directory Management solutions, please visit us online at www.cionsystems.com Disclaimer The information in this document is provided in connection with CionSystems products. No license, express or implied, to any intellectual property right is granted by this document or in connection with the sale of CionSystems products. EXCEPT AS SET FORTH IN CIONSYSTEMS LICENSE AGREEMENT FOR THIS PRODUCT, CIONSYSTEMS INC. ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL CIONSYSTEMS INC. BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF CIONSYSTEMS INC. HAS BEEN ADVISED IN WRITING OF THE POSSIBILITY OF SUCH DAMAGES. CionSystems may update this document or the software application without notice. CionSystems Inc 6640 185 th Ave NE, Redmond, WA-98052, USA www.cionsystems.com Ph: +1.425.605.5325 This guide is provided for informational purposes only, and the contents may not be reproduced or transmitted in any form or by any means without our written permission. 45 P a g e