Two-Factor Authentication (2FA/MFA) for Windows Logon & RDP
How to setup Two-Factor Authentication (2FA/MFA) for Windows Logon & RDP
Considering the pace of Password-based security breaches relying only on basic usernames and passwords to secure user's accounts is no longer an option. That’s the reason it has become necessary to add additional layers of security to filter out unauthorized users. miniOrange Two-Factor Authentication (2FA/MFA) for Windows logon prevents these sorts of Password Based breaches and adds an additional layer of security to your Microsoft Windows account.
Enabling Windows 2FA / MFA always verifies identities before allowing access, making it more difficult for unauthorized users to gain access to your Microsoft Windows account. miniOrange Credential Provider can be installed on Microsoft Windows Client and Server operating systems to enable the Two-Factor Authentication to Remote Desktop (RDP) and local Windows Login.
Windows 2FA solution is also responsible for your User Management with a Microsoft Active Directory or an LDAP directory. With this 2FA / MFA solution, users will get easy access to the endpoints they need to access by increasing identity assurance and reducing the risk and exposure. You can also enable offline access accordingly for secure authentication. miniOrange's advanced MFA solution organizations are able to get secure access to all work applications, for all their users, from anywhere, with any device they choose.
miniOrange 2FA Credential Provider for Windows Logon and Remote Desktop (RDP) access supports following Multi-Factor Authentication (MFA) Methods:-
Authentication Type
Method
Supported
miniOrange Authenticator
Soft Token
miniOrange Push Notification
Mobile Token
Google Authenticator
Microsoft Authenticator
Authy Authenticator
SMS
OTP Over SMS
SMS with Link
Email
OTP Over Email
Email with Link
Call Verification
OTP Over Call
Hardware Token
Yubikey Hardware Token
Display Hardware Token
System Requirements for miniOrange Two-Factor Authentication (2FA / MFA) Credential Provider
miniOrange Credential Provider for Windows Logon and RDP Access supports both client and server operating systems.
Supported Microsoft Windows Client versions:
Windows 7 SP1
Windows 8.1
Windows 10
Windows 11
Supported Windows Server versions(GUI and core installs):
Windows Server 2008 R2 SP1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
miniOrange Two-Factor Authentication(2FA/MFA) Credential Provider for Windows Logon also requires .NET Framework 4.5 or later. If the correct .NET version is not present on your system then miniOrange Credential Provider setup prompts you to install the .NET Framework.
miniOrange 2-Factor Authentication (2FA/MFA) Credential Provider can also be installed via group policy software publishing and Group policy administrative templates.
Get Free Installation Help - Book a Slot
miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Two-Factor Authentication (2FA) for Windows Logon and RDP solution in your environment with 30 days trial.
For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you setting it up in no time.
Disable the methods you don’t want your users to configure or use for MFA
3. Setup miniOrange Two-Factor Authentication(2FA/MFA) Credential Provider for Windows Logon
Go to the folder where you have the mOCredentialProvider.msi file downloaded. Double Click and it will take you to the installation window. Follow the instructions to install it.
Go to C:\Program Files\miniOrangeCredProviderInstaller and open Configuration.exe file.
Make sure "miniOrange service" status is running and in the "Credential Provider/GINA status" section the "Registered" and "Enabled" are "Yes".
Copy customer details.
If you are using our miniOrange Cloud IDP server:
Login into miniOrange console with your customer account and goto "Product settings". Copy the "Customer Key" and "Customer API Key" and keep it with you.
If you are using on-premise IDP server:
Login into your on-premise IDP server account and goto "Product settings" section. Copy the "Server Base URL", "Customer Key", and "Customer API Key" and keep it with you.
Double Click on miniOrange machine and add these details:
Customer ID
API Key
Name of the application which was created in miniOrange.
If you’re using domain joined machines, click on Domain User Login plugin in Plugin Selection window.
Set these values and click on Save:
Login Behaviour - Automatically Add Domain
Domain - Your AD domain
Make sure the Gateway box is checked.
4. Test miniOrange Credential Provider 2FA Setup
We’ll do a simple test to see how 2FA prompt will show up on your logon screen and to check if everything was configured correctly.
Run the command "MFAAuthnPrompt.exe " and replace with your Windows username.
Note:
The Username you are entering must exist and must have the same Username in the Windows and in the users list of your miniOrange account. Don’t pass the domain name while adding username in the command.
The following Two-Factor Authentication (2FA) prompt will be displayed. The 2FA options for each user will vary depending on the ones you’ve enabled in step 2 and the ones configured by your user.
Select your 2FA method and click on "Next".
Enter the OTP on the next screen based on the option you selected.
Try Windows/RDP logon with miniOrange MFA as shown below.
After successful authentication, it will prompt for Two-Factor Authentication (2FA). Select the 2FA method and click Next
Enter your OTP and click on Next as shown in the below screenshot. After successful OTP validation users will be logged into the windows machine.
5. Setup Credential Provider Group Policy for Windows
Group Policy provides centralized management and configuration of operating systems, applications, and users settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO).
Network administrators have one place where they can configure a variety of Windows settings for every computer on the network.
We are using GPO to simplify the installation of credential provider software and propagating windows registry settings of this software in one go for each computer joined to the domain.
Follow the steps to Setup miniOrange Multi-Factor Authentication (2FA/MFA) Credential Provider Group Policy:
Search "Computer management" from programs search and open it. Goto "Shared Folders->Shares"
Right click on the "Shares section area" and click on "New" from the list as shown in the below screenshot.
Click "Next" in the newly opened Shared Folder Wizard.
Click on the "Browse" button.
Browse for the folder path on the system where the "mOCredentialProvider.msi" resides and select that folder.
Click on "Next".
Provide description of the folder being shared and Click on "Next".
Select the permissions of your choice for the folder being shared.
Sharing of the folder is successful. Click on "Finish".
Goto the shared folder on your system and right click on "mOCredentialProvider.msi" file and select "Share with->Specific people".
Make sure the file is shared with "Administrator" users of your domain and as well as to the user on the windows computer on which you are going to create the Group Policy Object.
Open "Administrative tools->Group Policy management". Right click on your domain and select "Create a GPO in this domain, and Link here.." option.
Provide a Name for the GPO and click on "OK".
You can Add/Remove specific Users, Groups and Machines of your domain from the highlighted section. This will help you to execute the Group policy for a specific set of Users, Groups, And Computers.
Right click on the newly created GPO and select "Edit" from the list of menu.
The new window will be opened for GPO edit it as mentioned.
Expand "Policies->Software Settings" from Computer Configuration.
Goto Shared folder on your system.
Right click the shared folder "mOCredentialProvider" and select properties option from the list.
Goto "Sharing tab" of the properties window and copy "Network path".
Right click on the "Software Installation" section area and select "New->Package" from the list.
Select "mOCredentialProvider.msi" file from the shared folder.
Select "Assigned" and click on "Ok" in the window.
Double click on the "miniOrangeCredProviderInstaller" package.
Goto "Deployment" tab and click on the "Advanced" button.
Enable "Ignore Language when deploying this package" checkbox from Advanced deployment options section and click on "Ok".
Click on "Apply" and then "Ok" to close the properties windows.
Expand "Preferences->Registry" from Computer Configuration.
Right click on "Registry" and select "New->Registry Wizard" from the list.
Select "Local Computer" as we have installed the miniOrangeCredentialProiver package on this windows machine. Click on "Next".
Expand the "HKEY_LOCAL_MACHINE" folder.
Goto "SOFTWARE->pGina3" in "HKEY_LOCAL_MACHINE".
Enable checkboxes for all the options present in "pGina3" folder and click "Finish".
Expand the "First Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3" and make sure all selected options are present.
Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->0f52390b-c781-43ae-bd62-553c77fa4cf7" folder.
Enable checkboxes for all options except "SearchPW" option and click on "Finish".
Expand the "Second Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->0f52390b-c781-43ae-bd62-553c77fa4cf7" and make sure all selected options except "SearchPW" option are present.
Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d" folder as shown in the below screenshot. Enable checkboxes for all options and click on the "Finish" button.
Expand the "Third Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d" and make sure all selected options are present.
Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->81f8034e-e278-4754-b10c-7066656de5b7" folder as shown in the below screenshot. Enable checkboxes for all options except the "Password" option and click on the "Finish" button.
Expand the "Fourth Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->81f8034e-e278-4754-b10c-7066656de5b7" and make sure all selected options except "Password" option are present.
Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->ffd3547a-c950-4ef4-bb0e-b6523965c021" folder as shown in the below screenshot. Enable checkboxes for all options and click on the "Finish" button.
Expand the "Fifth Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->ffd3547a-c950-4ef4-bb0e-b6523965c021" and make sure all selected options are present.
The Group policy settings will be applied on the computers once they are restarted. You can also perform force group policy push by executing command from the command prompt window. NOTE: Login into the other domain-joined windows computer on which you want to apply these group policy settings.
6. Configure Your User Directory (Optional)
miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Okta, Shibboleth, Ping, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more. You can configure your existing directory/user store or add users in miniOrange.
Here, fill the user details without the password and then click on the Create User button.
After successful user creation a notification message "An end user is added successfully" will be displayed at the top of the dashboard.
Click on On Boarding Status tab. Check the email, with the registered e-mail id and select action Send Activation Mail with Password Reset Link from Select Action dropdown list and then click on Apply button.
Now, Open your email id. Open the mail you get from miniOrange and then click on the link to set your account password.
On the next screen, enter the password and confirm password and then click on the Single Sign-On (SSO) reset password button.
Now, you can log in into miniOrange account by entering your credentials.
2. Bulk Upload Users in miniOrange via Uploading CSV File.
Navigate to Users >> User List. Click on Add User button.
In Bulk User Registration Download sample csv format from our console and edit this csv file according to the instructions.
To bulk upload users, choose the file make sure it is in comma separated .csv file format then click on Upload.
After uploading the csv file successfully, you will see a success message with a link.
Click on that link you will see list of users to send activation mail. Select users to send activation mail and click on Send Activation Mail. An activation mail will be sent to the selected users.
Click on External Directories >> Add Directory in the left menu of the dashboard.
Select Directory type as AD/LDAP.
STORE LDAP CONFIGURATION IN MINIORANGE: Choose this option if you want to keep your configuration in miniOrange. If active directory is behind a firewall, you will need to open the firewall to allow incoming requests to your AD.
STORE LDAP CONFIGURATION ON PREMISE: Choose this option if you want to keep your configuration in your premise and only allow access to AD inside premises. You will have to download and install miniOrange gateway in your premise.
Enter LDAP Display Name and LDAP Identifier name.
Select Directory Type as Active Directory.
Enter the LDAP Server URL or IP Address against LDAP Server URL field.
Click on Test Connection button to verify if you have made a successful connection with your LDAP server.
In Active Directory, go to the properties of user containers/OU's and search for Distinguished Name attribute.
Enter the valid Bind account Password.
Click on Test Bind Account Credentials button to verify your LDAP Bind credentials for LDAP connection.
Search Base is the location in the directory where the search for a user begins. You will get this from the same place you got your Distinguished name.
Select a suitable Search filter from the drop down menu. To use custom Search Filter select "Write your Custom Filter" option and customize it accordingly.
You can also configure following options while setting up AD. Enable Activate LDAP in order to authenticate users from AD/LDAP. Click on the Save button to add user store.
Here's the list of the attributes and what it does when we enable it. You can enable/disable accordingly.
Attribute
Description
Activate LDAP
All user authentications will be done with LDAP credentials if you Activate it
Sync users in miniOrange
Users will be created in miniOrange after authentication with LDAP
Fallback Authentication
If LDAP credentials fail then user will be authenticated through miniOrange
Allow users to change password
This allows your users to change their password. It updates the new credentials in your LDAP server
Enable administrator login
On enabling this, your miniOrange Administrator login authenticates using your LDAP server
Show IdP to users
If you enable this option, this IdP will be visible to users
Send Configured Attributes
If you enable this option, then only the attributes configured below will be sent in attributes at the time of login
Click on Save. After this, it will show you the list of User stores. Click on Test Connection to check whether you have enter valid details. For that, it will ask for username and password.
On Successful connection with LDAP Server, a success message is shown.
Click on Test Attribute Mapping.
Enter a valid Username. Then, click on Test. Mapped Attributes corresponding to the user are fetched.
After successful Attribute Mapping Configuration, go back to the ldap configuration and enable Activate LDAP in order to authenticate users from AD/LDAP.
Enable the "Enable User Auto Registration" option and click Save.
(Optional) To send a welcome email to all the end users that will be imported, enable the "Enable sending Welcome Emails after user registration" option and click Save.
From the Left-Side menu of the dashboard select Provisioning.
In Setup Provisioning tab select Active Directory in the Select Application Drop Down.
Toggle the Import Users tab, click on Save button.
On the same section, switch to Import Users section.
Select Active Directory from the dropdown and click on the Import Users tab, to import all the users from Active Directory to miniOrange.
You can view all the Users you have imports by selecting Users >> User List from Left Panel.
All the imported users will be auto registered.
These groups will be helpful in adding multiple 2FA policies on the applications.
miniOrange integrates with various external user sources such as directories, identity providers, and etc.
miniOrange Credential Provider for Remote Desktop (RDP)
The user initiates the login to Remote Desktop Service either through a Remote Desktop Client or via the RD Web login page from his browser, after which the RADIUS request is sent from the miniOrange RD Web component installed on the target machine to the miniOrange RADIUS server, which authenticates the user via Local AD, and after successful authentication, 2-factor authentication of the user is invoked. After the user validates himself, he is granted access to the Remote Desktop Service (RDP).
A user can try to connect to RDS (Remote Desktop Services) via 2 ways :
RDC - Remote Desktop Client: If the RemoteApp is launched through a Remote Desktop client application, the users validate their 2-factor authentication while they enter the Username and Password to get access to the resources. (as this method doesn't support access-challenge response, only out of band authentication methods are supported ).
RD Web Access - RD login page via browser: If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for 2-factor authentication via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.
Two-Factor Authentication (2FA/MFA) for RDS via RD Web
How it works
In this case, the user goes to RD Web login page from his browser to connect to the Remote Desktop Service. He enters his Username and Password, and on submission, the RADIUS request from RD Web component installed on target machine is sent to the miniOrange RADIUS server which authenticates the user via local AD in the target machine.
Once authenticated, it sends a RADIUS challenge to RD Web, and the RD Web shows OTP screen on browser now. Once the user enters the One Time Passcode, the miniorange IdP verifies it and grants/denies access to the RDS.
With this, after the user is connected to the Remote Desktop Service, the user can also gain access to published remote app icons on his browser screen, since the session has already been created for the user.
