April 17, 2015 // By Frank Nezrick
Many organizations have SharePoint extranets, but require additional security. Using multi-factor or two-factor authentication is a plausible way to do this. What is it? Well, this is what we see when we try to login to our bank account on a new computer. We enter our username and password, and are then informed that the website does not recognize the machine we are on, and needs additional information. Then typically a text message is sent to us with a code that we enter along with our username and password. Below are the steps that can be taken to get this behavior working in SharePoint 2013 using Windows Azure Multi-Factor Authentication Server (formerly PhoneFactor).
This information is out there, but at the time this was written, I really had to dig deep and piece it together. After contacting Microsoft, they got back to me with the following link. This really got the ball rolling.
This link, however, is not specific to SharePoint 2013. Here are the steps that got multi-factor authentication working on my SharePoint 2013 VM. I am assuming that you have a SharePoint 2013 development environment setup with access to the internet. If not, critical path training is good place to start for a development setup, or the PluralSight here.
Create a trial account here: https://pfweb.phonefactor.com/register/step1
Fill out the required information, and once logged in, you can try to download the server software. This link did not work for me, so I logged back in, and ended up at a different url. https://pfweb.phonefactor.com/framefactory
In the lower left, follow the Server link.
Then click Download. Don’t worry that this is 32 bit software, it will work fine in Windows Server 2012 (and I imagine 2008/R2, but I haven’t tried these). Once the file is downloaded, move it to your development VM and run it. Once the installation is complete, click Finish. You may be prompted to reboot. If so, cancel this for now. You will be also be prompted to run the configuration wizard. Proceed by clicking Next.
Enter the email and password you created to download the software from https://pfweb.phonefactor.com and click Next. The installer will take a few minutes to authenticate you, and will then call the number you used when registering to download the software. Authorize the installer by answering the incoming call and pressing the # key on your phone. I found that I had to press the # key on my iPhone pretty quickly, otherwise it was not accepted. This may be an isolated incident though.
Click Next again.
Check the radio button next to Website and click Next.
Leave “Internet Information Server (IIS)” selected and click Next.
It is more likely that an Extranet would be using Forms Based Authentication (FBA). However, this tutorial is specific to a development environment. My development environment is not currently running FBA, hence let’s proceed with Windows authentication. Choose “HTTP authentication” and click Next.
Enter the base Url for your SharePoint 2013 web application and click Next.
Click Next and then Finish to save your changes.
If you canceled a reboot prompt earlier in the process, now would be a good time to do this.
After rebooting your machine, run the Multi-Factor Authentication Server application. There will be the following message: “One or more HTTP websites have ‘Require Multi-Factor Authentication user match’ unchecked”. It is OK to ignore this for now. Let’s add multi-factor authentication to a web application and import a user to try it out. Click on the IIS Authentication icon in the left toolbar.
Select the Native Module tab and deselect all of the checkboxes. Please note that I had a number of web applications all on port 80 using host headers. This seemed to confuse the two-factor authentication. Let’s just add this to Central Admin (I know, this is not a realistic example, but CA should have a domain and unique port assigned to it). Find Central Admin in the tree and check the box next to it.
Now let’s import a user. I use the administrator account on my VM, so let’s import that one. Go to the Users icon in the left toolbar and click on the Import from Active Directory… button. In the Domain section, on the List tab, scroll down and click on Users. All users within Users should now be showing to the right. Find the Administrator user and select it, then click the Import button. Please note that in the following screen shot, Mobile is selected as the Import phone. This will map to the same named field on the Telephones tab within the users properties in Active Directory. If another phone number is needed, change this before doing the import.
You will be prompted that one user has been successfully imported. Click OK, then the close button.
Double click the user and verify that the Phone field is populated correctly. Add the Phone number to your cell manually if it did not come over.
At this time, let’s test that the system is working. Click the Test button within the Users section of the Multi-Factor Authentication Server application. Enter the required password and click Test.
Answer the call and press the # key. You should see a message on the screen that you have been successfully authenticated.
Go ahead and close the Test User modal, and then close the Multi-Factor Authentication Server. Now open Internet Explorer and navigate to Central Administration. If everything is working, this will trigger a call to your phone, requiring you to press the # key, and then you will be logged into Central Administration.
Please note that Microsoft is still working out the kinks, and this solution may not yet be production ready. If you really need this in production, test until you can’t stand it anymore, then test two more times. Cheers!
If you would rather speak to us directly, please go to our contact page or call us at 877-277-1044.