Two Factor Authentication

    With the Two Factor Authentication service, you can add an extra layer of security to your account, in addition to your username and password. When you try to access the ADManager Plus interface, you will not be allowed to proceed until Two Factor Authentication is completed (admins alone have the option to skip authentication via TFA). ADManager Plus provides options to perform TFA through authentication services such as Duo Security, Google Authenticator, or one time password via email.

    Steps to configure Two Factor Authentication:

    1. Go to the Delegation tab.
    2. Click the Two Factor Authentication link under Configuration in the left navigation section.
    3. Enable Two Factor Authentication using the button near Two Factor Authentication is.
    4. Select the authentication service required for TFA from the following 3 options.

      5. Duo Security:

      • Login to your Duo Security account, and navigate to the Applications section in the left pane.
      • Click on the Protect an Application option.
      • Search for Web SDK and click on Protect this Application.
      • Copy the Integration Key, Secret Key, and API Hostname, and paste it in the ADManager Plus console.
      • Click Save.

      Google Authenticator:

      • Select the Enable Google Authenticator button.
      • Click the Save button.
      • During logging in, enter the code generated by the Google Authenticator app in your smartphone, in addition to your username and password.
      • Click here for more details.

      Note: Besides Google Authenticator, other third-party authenticators, like Microsoft Authenticator, are also supported.

      Microsoft Authenticator:

      • Login to the ADManager Plus console and navigate to the Delegation tab.
      • Under Logon Settings, click Two Factor Authentication.
      • Select the Enable Microsoft Authenticator button and click Save.
      • During logon, enter the code generated by the Microsoft Authenticator app in your smartphone, in addition to your username and password.

      For more information on Microsoft Authenticator and the steps to install the app in your smartphone, click here.

      One time password via email:

      In order to receive emails about the One Time Password (OTP), you need to configure mail server settings by performing the following steps.

      • Go to the Admin tab.
      • Click the Server link under General Settings.
      • Under Mail Settings, specify the name and port of the mail server.
      • Click the Advanced link in order to specify the username and password for mail server access.
      • Enter the Admin Mail Address and test working by clicking the Send Test Mail link.
      • Click the Save Changes button.
      • Under one time password via email, enter the subject of the OTP email.
      • Enter the content of the email using Macros where needed.
      • Click the Save button.

      RSA Authenticator:  

      RSA SecurID, formerly referred to as SecurID, is a mechanism developed by Security Dynamics (later RSA Security and now RSA, The Security Division of EMC) for performing two-factor authentication for a user to a network resource. Users can use the security codes generated by the RSA SecurID mobile app or Hardware tokens or tokens received in their mail or mobile to log in to ADManager Plus.

      Steps to Integrate RSA SecurId with ADManager Plus:

      • Log in to your RSA admin console (e.g., https://RSA machinename.domain DNS name/sc).
      • Go to Access, Authentication Agents, click Add New.
      • Add ADManager Plus Server as an Authentication agent and click Save.
      • Go to Access, Authentication Agents, click Generate Configuration File.
      • Download AM_Config.zip (Authentication Manager config).
      • Extract sdconf.rec from the zip to <-installation-dir>/bin. If there is a file named securid (node secret file ), copy it too.

        • That's it ! You are now ready to use RSA SecurId with ADManager Plus.

      NOTE: Ensure that the required authapi.jar file, and its Log4j JAR files are located in the <ADManagerPlus_install_directory>/lib folder. If not, obtain the latest authapi.jar file and its latest Log4j JAR files from RSA SecurID and add these files in the <ADMAnagerPlus_install_directory>/lib folder.

      Troubleshooting: Log in to your RSA admin console and go to Reporting tab. Under Real time Activity Monitors, click Authentication Activity Monitor. Now click Start Monitor.

      Microsoft Authenticator:

      • Navigate to Delegation → Configuration → Logon Settings.
      • Toggle to the Two Factor Authentication tab.
      • Select the Enable Microsoft Authenticator button.
      • Install the Microsoft Authenticator App on your smartphone and set it up.
      • Provide the code generated in the app when logging in to ADManager Plus, in addition to your username and password.

      SMS verification:  

      To enable SMS verification as an authentication method, configure SMS gateway settings in ADManager Plus and follow these steps:

      • Navigate to the Delegation tab and under Configuration, click Logon Settings.
      • Toggle to Two Factor Authentication and click SMS Verification.
      • Select the Enable SMS Verification button.
      • In the Message field, enter the SMS content using macros and click Save.

      Steps to enroll your phone number:

      • Login to ADManager Plus using your account credentials.
      • In the Log in using SMS Verification page that opens up, enter your phone number and click Send Code.
      • Enter the six digit secret code from your phone number and enable the Trust this browser option to skip this step for the next 180 days.
      • Click on the Verify code button to verify.
    5.  Manage the users who have been successfully authenticated using TFA by clicking the Manage Authenticated Users button. The list of TFA configured users is displayed. If needed, you can remove the configured TFA and allow the user to reconfigure the settings.

    To personalize your preferred authentication method:

    In order to choose your preferred authentication method, or to use an authentication service different from the one you are currently using, perform the following steps.

    • Go to the My Account link at the top left corner.
    • Select the Manage my TFA settings option.
    • Click the Edit button.
    • Choose your preferred authentication method from the options available.
    • In the case of having the Google Authenticator service as your preferred method, the next dialog box prompts you to scan the QR code presented and enter the code generated by the app in your smartphone.
    • Click the Verify button.

    Note: 

    For users with Duo Security as the preferred authentication service, in the case of loss/replacement of your smartphones, TFA can still be performed smoothly by deleting the account in Duo. Follow the above steps, choose Duo Security as your preferred authentication method, and enable Duo Security once again to start from scratch.

    Copyright © 2022, ZOHO Corp.All Rights Reserved.