Contact Us
Magenic
  • What We Do
  • How We Do It
  • Our Thinking
  • Join Us
  • Our Work
  • Industries
  • Cloud
  • Software Development
  • Quality Engineering
  • DevOps
  • Strategy
  • Experience Design
  • Data & Integration
  • Advisory Services
  • Careers
  • Culture
  • Events
  • Success Stories
  • Partnerships
  • Technologies
  • Professional Services
  • Financial Services
  • Retail
  • Health Care

Multi-Factor Authentication on SharePoint using AD DS

April 17, 2015 // By Frank Nezrick

Many organizations have SharePoint extranets, but require additional security. Using multi-factor or two-factor authentication is a plausible way to do this. What is it? Well, this is what we see when we try to login to our bank account on a new computer. We enter our username and password, and are then informed that the website does not recognize the machine we are on, and needs additional information. Then typically a text message is sent to us with a code that we enter along with our username and password. Below are the steps that can be taken to get this behavior working in SharePoint 2013 using Windows Azure Multi-Factor Authentication Server (formerly PhoneFactor).

This information is out there, but at the time this was written, I really had to dig deep and piece it together. After contacting Microsoft, they got back to me with the following link. This really got the ball rolling.

http://technet.microsoft.com/en-us/library/dn394280.aspx

This link, however, is not specific to SharePoint 2013. Here are the steps that got multi-factor authentication working on my SharePoint 2013 VM. I am assuming that you have a SharePoint 2013 development environment setup with access to the internet. If not, critical path training is good place to start for a development setup, or the PluralSight here.

Create a trial account here: https://pfweb.phonefactor.com/register/step1

Fill out the required information, and once logged in, you can try to download the server software. This link did not work for me, so I logged back in, and ended up at a different url. https://pfweb.phonefactor.com/framefactory

In the lower left, follow the Server link.

Server red circle

Then click Download. Don’t worry that this is 32 bit software, it will work fine in Windows Server 2012 (and I imagine 2008/R2, but I haven’t tried these). Once the file is downloaded, move it to your development VM and run it. Once the installation is complete, click Finish. You may be prompted to reboot. If so, cancel this for now. You will be also be prompted to run the configuration wizard. Proceed by clicking Next.

Config wizard screenshot

Enter the email and password you created to download the software from https://pfweb.phonefactor.com and click Next. The installer will take a few minutes to authenticate you, and will then call the number you used when registering to download the software. Authorize the installer by answering the incoming call and pressing the # key on your phone. I found that I had to press the # key on my iPhone pretty quickly, otherwise it was not accepted. This may be an isolated incident though.

Click Next again.

Check the radio button next to Website and click Next.

Config wizard on multi factor authentication request screen

Leave “Internet Information Server (IIS)” selected and click Next.

Select IIS

It is more likely that an Extranet would be using Forms Based Authentication (FBA). However, this tutorial is specific to a development environment. My development environment is not currently running FBA, hence let’s proceed with Windows authentication. Choose “HTTP authentication” and click Next.

Select HTTP Authentication

Enter the base Url for your SharePoint 2013 web application and click Next.

URL entry

Click Next and then Finish to save your changes.

If you canceled a reboot prompt earlier in the process, now would be a good time to do this.

After rebooting your machine, run the Multi-Factor Authentication Server application. There will be the following message: “One or more HTTP websites have ‘Require Multi-Factor Authentication user match’ unchecked”. It is OK to ignore this for now. Let’s add multi-factor authentication to a web application and import a user to try it out. Click on the IIS Authentication icon in the left toolbar.

Add IIS auntheitcation.

Select the Native Module tab and deselect all of the checkboxes. Please note that I had a number of web applications all on port 80 using host headers. This seemed to confuse the two-factor authentication. Let’s just add this to Central Admin (I know, this is not a realistic example, but CA should have a domain and unique port assigned to it). Find Central Admin in the tree and check the box next to it.

Select Central Admin

Now let’s import a user. I use the administrator account on my VM, so let’s import that one. Go to the Users icon in the left toolbar and click on the Import from Active Directory… button. In the Domain section, on the List tab, scroll down and click on Users. All users within Users should now be showing to the right. Find the Administrator user and select it, then click the Import button. Please note that in the following screen shot, Mobile is selected as the Import phone. This will map to the same named field on the Telephones tab within the users properties in Active Directory. If another phone number is needed, change this before doing the import.

Import active directory

You will be prompted that one user has been successfully imported. Click OK, then the close button.

Double click the user and verify that the Phone field is populated correctly. Add the Phone number to your cell manually if it did not come over.

Enter user info

At this time, let’s test that the system is working. Click the Test button within the Users section of the Multi-Factor Authentication Server application. Enter the required password and click Test.

Answer the call and press the # key. You should see a message on the screen that you have been successfully authenticated.

Success@

Go ahead and close the Test User modal, and then close the Multi-Factor Authentication Server. Now open Internet Explorer and navigate to Central Administration. If everything is working, this will trigger a call to your phone, requiring you to press the # key, and then you will be logged into Central Administration.

Please note that Microsoft is still working out the kinks, and this solution may not yet be production ready. If you really need this in production, test until you can’t stand it anymore, then test two more times. Cheers!

If you would rather speak to us directly, please go to our contact page or call us at 877-277-1044.

Categories // Software Development
Tags Multi-factor Authentication, SharePoint, SharePoint 2013
SHARE:
THE LATEST:
  • FEBRUARY 23, 2021 // blog
    Stronger Product Owner = Better Software, Faster
  • FEBRUARY 19, 2021 // blog
    Security In Five Bi-Weekly Roundup – 2/19/21
  • FEBRUARY 18, 2021 // blog
    Doesn’t Everybody Know This?
Featured Content:
  • JANUARY 25, 2021 // White Paper
    The Top 7 Technology Trends of 2021

Related Posts

Success Story
Migrating Hundreds of Lotus Notes Apps
Learn More
Blog
Development Patterns of SharePoint
Learn More
Blog
SharePoint - A Quick History
Learn More
Blog
Enterprise Collaboration – Should You Buy an Intranet in a Box?
Learn More

Ready to speak with our experts?

Have a question?

This field is required
This field is required
This field is required
This field is required

Thanks for Contacting Magenic

One of our experts will be contacting you directly within the next business day.

Return To Home
Magenic

info@magenic.com+1.877.277.1044

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • RSS Feed

© Magenic Inc.Privacy NoticeTerms & ConditionsSitemap