How to configure two-factor authentication (2FA) for technicians in ADManager Plus

Objective:

To configure two-factor authentication (2FA) for technicians in ADManager Plus.

Solution:

You can configure a secured login to the ADManager Plus console by configuring two-factor authentication (2FA). If ADManager Plus technicians have 2FA enabled, they must authenticate twice: first by entering their credentials and then by any other method enabled by the admin to login to the console. However, the ADManager Plus default admin account is allowed to skip 2FA.

ADManager Plus allows 2FA to be performed through authentication services such as:

• Duo Security
• Google Authenticator
• RSA Authenticator
• Microsoft Authenticator
• SMS Verification
• One time password (OTP) via email.

Steps to configure 2FA in ADManager Plus using different applications

1. Login to ADManager Plus and click the Delegation tab.
2. Under the Configuration section in the left pane, click Logon Settings.
3. Click the Two Factor Authentication tab.
4. Toggle the Two Factor Authentication button on.
5. Select any of the following authentication services for 2FA:
   1. Duo Security
      1. Login to your Duo Security account, and navigate to the Applications > Protect an application section in the left pane.
      2. Search for Web SDK from the list of applications and click Protect. Refer here for more information on Web SDKv4
      3. Copy the Client ID, Client secret, and API hostname.
      4. Now, go to the ADManager Plus console and expand Duo Security.
      5. Check the Enable Duo Security option and select Web v4 SDK as the Integration Type.
      6. Paste the Client ID, Client secret, and API hostname obtained from the Duo Admin Panel in the respective fields.
      7. Enter the same username pattern used in Duo Security in the Username Pattern field.
      8. Click Save.
   2. Google Authenticator
      1. Install and set up Google Authenticator on your smartphone by following the steps listed on this page.
      2. Switch to ADManager Plus and expand Google Authenticator.
      3. Click the Enable Google Authenticator button.
      4. While logging in to ADManager Plus, enter the code generated by the Google Authenticator app in your smartphone, in addition to your username and password.
   3. One time password via email

      In order to receive OTP via email, you need to configure the email server settings in the product.

      1. Expand One time password via email and check the One time password via email option.
      2. Enter a subject and draft a message using Macros in the Subject and Message fields, respectively.
      3. Click Save.
   4. RSA Authenticator

      RSA SecurID is a 2FA mechanism developed by the RSA, the Security Division of EMC, for users attempting to access a network resource. Users can use the security codes generated by the RSA SecurID mobile app, a hardware token, or a token sent to their email or mobile device to log in to ADManager Plus. You can follow the steps below to configure RSA SecurID for SDK integration.

      Steps to configure RSA SecurID for SDK integration:

      • Log in to your RSA admin console (e.g., https://RSAmachinename.domain DNS name/sc).
      • Go to the Access tab.
      • Under Authentication Agents, click Add New.
      • Add ADManager Plus Server as an Authentication Agent and click Save.
      • Navigate back to the Access tab. Under Authentication Agents, click Generate Configuration File.
      • Download the AM_Config.zip file.
      • Copy the Authentication Manager configuration file, sdconf.rec from the zip and paste it in <-installation-dir>/bin. If there is a file named securid (node secret file), copy and paste it, too.

        Note:

        • Ensure that the JAR files mentioned below are extracted from RSA SecurID and placed in the <ADManagerPlus_install_directory>/lib folder:
          • authapi.jar
          • Log4j.jar
          • certj.jar
          • commons-logging.jar
          • cyrptojce.jar
          • cryptojcommon.jar
          • jcmFIPS.jar
          • sslj.jar
          • xmlsec.jar
        • Restart ADManager Plus after adding the files.
      • Click Save.
   5. Microsoft Authenticator
      1. Install and set up Microsoft Authenticator on your smartphone.
      2. Navigate to ADManager Plus and expand Microsoft Authenticator.
      3. Check the Enable Microsoft Authenticator option.
      4. While logging in to ADManager Plus, enter the code generated by the Microsoft Authenticator app in your smartphone, in addition to your username and password.
   6. SMS verification

      To enable SMS verification as an authentication method, configure SMS gateway settings in ADManager Plus and follow these steps:

      1. Expand SMS Verification and check the Enable SMS Verification box.
      2. In the Message field, enter the SMS content using macros and click Save.
         • Steps to enroll your phone number
           1. Login to ADManager Plus using your account credentials.
           2. In the Log in using SMS Verification page that opens up, enter your phone number and click Send Code.
           3. Enter the six-digit secret code you received via SMS in the field. If needed, enable the Trust this browser option to skip this step for the next 180 days.
           4. Click the Verify code to verify.