Today, I had the pleasure of installing and configuring the AD FS Agent that is part of CensorNet’s SMS PASSCODE product., version 2018 (version 10). Here’s how to perform this task yourself.
About the Extensible Authentication Framework
Active Directory Federation Services (AD FS) offers the Extensible Authentication Framework (EAF). Leveraging this functionality, multi-factor authentication providers can hook their products into the authentication funnel.
Through an AD FS Agent, the authentication gets routed to the multi-factor authentication software, when an MFA claim is needed. Only when the multi-factor authentication software signals back that the multi-factor authentication was successful, will AD FS be able to successfully send a federation claim to the user.
About CensorNet and SMS PASSCODE
SMS PASSCODE is one of the oldest multi-factor authentication solutions in the market. Their solution, currently, offers one-time passwords (OTPs) in SMS text messages and through their SMS PASSCODE mobile app.
The architecture of the product is to use a centralized authentication server, hosting the information for authenticating. Users can be imported into this server from Active Directory and other sources. Fail-over servers can be implemented to reduce the dependency on one server. Agents, called Client Authentication Protections, offer functionality like RADIUS connectivity and, as I’ll point out in this blogpost, AD FS connectivity through the Extensible Authentication Framework (EAF).
Before following the below steps, make sure you meet the following prerequisites:
- Implement the central CensorNet SMS PASSCODE server. Copy the installation file for the server component to a file location that is accessible to the AD FS Server(s). Make sure users accounts are configured with appropriate authentication information.
- Log on to the AD FS Server(s) with an account that has privileges to manage Active Directory Federation Services. Make sure you run the last steps of this HowTo on the AD FS Server that is the primary server, when the AD FS Farm leverages the Windows Internal Database (WID) as the AD FS configuration database.
- Make sure the AD FS Servers are able to communicate with the centralized CensorNet SMS PASSCODE server over TCP port 8988. Web Application Proxies don’t need a connection to the server, though.
- After installation and configuration of the SMS PASSCODE Client Authentication Protection for AD FS, the AD FS Servers need to be restarted. Make sure to plan this type of actions outside working hours, or have a fully redundant AD FS implementation.
How to install and configure the agent
Follow these steps to install and configure the CensorNet SMS PASSCODE Client Authentication Protection for AD FS:
- Log on to the AD FS server.
- Locate the CensorNet SMS PASSCODE installation file.
- Double-click the SmsPasscode-2018-x64.exe installation file to start installing.
- In the Welcome to the InstallShield Wizard for SMS PASSCODE screen of the SMS PASSCODE 2018 installer, click Next >.
- In the License Agreement screen, select the option I accept the terms in the license agreement. Click Next >.
- In the Installation Scope screen, only select the option to Install Authentication Client Protection and click Next >. The other option installs the central server component.
- In the Destination Folder screen, click Next >. to accept the default installation location: C:\Program Files\SMS PASSCODE\.
- In the Authentication Clients screen, only select the AD FS Protection option.
Click Next >.
- In the Configuration Tool pop-up, click OK to acknowledge that all settings need to be checked and that installation continues after the configuration tool is closed.
- In the SMS PASSCODE – Configuration Tool, on the Network tab, specify the shared secret to communicate with the central server, twice. Click Save.
- Navigate to the Backend Hosts tab.
- On the Backend Hosts tab, remove the hostname of the AD FS Server (default) and enter the hostname of the central CensorNet server Click Save when done..
- Click Test Connection. Click Close in the resulting screen.
- Click Close to close the SMS PASSCODE – Configuration Tool.
- Back in the SMS PASSCODE 2018 installation screen, wait for the installer to complete.
- In the InstallShield Wizard Completed screen, click Finish.
Perform the above steps on every AD FS Server in the AD FS Farm, before continuing with the steps below.
How to enable Multi-factor Authentication through SMS PASSCODE
Follow these steps to enable Multi-factor Authentication through SMS PASSCODE:
- Log on to the (primary) AD FS server.
- Open the AD FS Management tool.
- In the left navigation pane, select Authentication Policies.
- In the right task pane, click on Edit Global Multi-factor Authentication… link.
- Select the SMS PASSCODE Authentication as additional authentication method.
- To enable authentication for all external authentication, also select Extranet. Alternatively, specify multi-factor authentication per Relying Party Trust (RPT).
- Click OK.
There is no need to configure additional settings, when the centralized CensorNet SMS PASSCODE server is configured with the default authentication policy, to allow Any.
Using the the Extensible Authentication Framework (EAF) in Active Directory Federation Services (AD FS) makes enabling multi-factor authentication a breeze.