Configuring YubiKey authentication for Active Directory password resets and logins
YubiKey Authenticator is a hardware authentication device that is widely used as a multi-factor authentication (MFA) method. Authentication using this method involves plugging the YubiKey device into a user's machine or tapping it against the user's mobile device. A code is generated on the device and is automatically entered on the authentication screen and the user is authenticated into the service.
Since the code is generated and automatically entered in mere seconds, there is no chance of attackers figuring out the passcode and using it to breach the user's account.
Active Directory-based user actions like domain logins have for long been secured only by the rudimentary username and password. While the purpose of these credentials is to verify user identity, the advancement of technology has left them prone to breaches. Implementing an MFA method like YubiKey Authenticator in addition to the default username-password authentication during Active Directory domain logins can be extremely beneficial to an organization's domain network security. Another useful application is during self-service Active Directory password resets and account unlocks.
ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, supports MFA using YubiKey Authenticator and 18 other methods. MFA is used by ADSelfService Plus to secure the following actions:
- Active Directory self-service password reset or account unlock actions via the ADSelfService portal, ADSelfService Plus mobile app, and native Windows/macOS/Linux login screen.
- Windows, macOS, and Linux logins.
- Enterprise application logins through single sign-on (SSO).
- Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.
Follow these instructions to enable YubiKey Authenticator for MFA in ADSelfService Plus:
Prerequisites:
- The firewall should have the outbound connections listed below:
- Get the Client ID and Secret Key from the YubiKey website by following the steps below:
- Go to https://upgrade.yubico.com/getapikey.
- Enter your email address. Connect the Yubikey to your workstation or server and enter the YubiKey OTP.
- Select the I've read and accepted the Terms and Conditions option. Click Get API Key.
- Copy the displayed Secret Key.
Steps for configuring YubiKey Authenticator for Active Directory domain logins and password resets:
- Download and install ADSelfService Plus.
- Configure your Active Directory domains.
- Go to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
- Select the policy for which YubiKey Authenticator is to be configured from the drop-down.
- Click the YubiKey Authenticator section.
- Enter the Client ID and the Secret Key from step 2 of the prerequisites.
- Click Save.
Note: You can choose to enforce multiple configurations for different users based on their domain, group, or OU membership, or simply apply one YubiKey Authenticator setting for all users.
Enabling YubiKey Authentication for Active Directory password resets
- Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select YubiKey Authenticator along with the other authentication techniques to be used.
- Click Save Settings.
Enabling YubiKey Authentication for Active Directory domain logins
- Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
- Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
- In the MFA for Machine Login section, check the Enable _ authentication factors box and select the Yubikey Authenticator from the drop-down.
- Click Save Settings.
Note:
To enable MFA for Active Directory domain logins:
- The ADSelfService Plus login agent must be installed on client machines. Click here for steps on login agent installation.
- SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option.
Learn more about ADSelfService Plus and its Multi-factor Authentication feature.
Simplify password management with ADSelfService Plus.
Self-service password management and single sign-on solution
ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.
- Related Products