This blogpost details how to setup and configure Microsoft’s on-premises Azure Multi-factor Authentication (MFA) Server product in an existing environment.
It details how to install and configure the base components: The MFA Server, the Web Service SDK and the User Portal.
Before you begin
Before you begin, you should have access to the following information:
- The DNS domain name of your organization’s Active Directory Domain Services (AD DS) environment
- Credentials for an account that is a member of the Domain Admins group in Active Directory
- Credentials for an account that has the Global administrator role assigned in Azure AD
Of course, it’s a good idea to make a back-up of your Domain Controllers and test one of the backups in a separate networking environment to make sure you’re able to restore.
Overview
The implementation performed, resembles the Stretched deployment in terms of the supported Azure MFA Server deployment scenarios, discussed earlier:
Requirements
For this scenario, two Windows Server installations are needed:
- MFA1 – This server becomes the Azure MFA Back-end Server (Master)
- WEB1 – This server becomes the Azure MFA Web Server
These servers will have to have .NET Framework 4 installed and be made members of an existing Active Directory environment. For the purpose of this blogpost, two Windows Server 2016-based installations will be deployed.
Microsoft disabled the ability to create MFA Providers in Azure AD per September 1st, 2018. If you haven’t registered an MFA Provider before this date, all user accounts in scope for MFA Server need to be synchronized from Active Directory to Azure AD. The easiest way to do this, is using Azure AD Connect with Express Settings. Afterward, Azure AD Premium (P1) licenses need to be assigned to them (or an overarching license that includes this license, like Azure AD Premium Premium (P2), or Microsoft 365 E3)
As part of basic information security, traffic to the MFA User Portal and to the MFA Web Service SDK is encrypted. For this purpose, we will need valid TLS certificates. Install corresponding TLS certificates in the Personal stores of the Local Machine on both MFA1 and WEB1.
Download MultiFactorAuthenticationServerSetup.exe from the MFA Server download page and place it on the disks of server MFA1.
Step 1: Install and configure MFA Server on MFA1
The Central MFA Server component communicates with the cloud-based MFA Point of Presence (PoP) to perform authentications and with on-premises systems like RADIUS clients and Domain Controllers.
Perform the following steps to install and configure Microsoft’s on-premises Azure Multi-factor Authentication (MFA) Server product on Windows Server MFA1:
- Sign into Windows Server MFA1, using an account that is a member of the Domain Admins group and assigned local administrative privileges on the server.
- Open File Explorer.
- Navigate to the folder where you’ve placed the Azure MFA Server installation files:
- Double-click MultiFactorAuthenticationServerSetup.exe.
- In the Open File – Security Warning pop-up window, click Run.
- In the Multi-Factor Authentication Server pop-up window (depicted above), click Install to install the Visual C++ “14” Runtime Libraries.
- For Microsoft Visual C++ 2017 Redistributable (x86), select the I agree to the license terms and conditions option and click Install afterward. Click Close when setup is successful.
- Repeat the above step for the x64 package.
The Multi-factor Authentication Server screen will appear.
(This may take a while…) - On the License Agreement page, select the I Agree option.
- Click Next >.
- On the Select Installation Folder page (see above), click Next >.
- On the Installation Complete page, click Finish.
The Multi-Factor Authentication Server management user interface appears, as depicted above.
- The first thing to configure is the activation of the MFA Server, as the Activate screen is shown. Here, we have to enter activation credentials. On server MFA1, or on an Internet-connected workstation, perform the following actions to create the activation credentials:
- Open a web browser and navigate to the Azure Portal.
- Sign in with an account that has the Global administrator role assigned.
Perform Azure-based multi-factor authentication, when prompted. - In the left navigation menu, click Azure Active Directory.
- In the Azure AD navigation menu, scroll down to the Security section.
- Click MFA.
- In the scenario where an MFA Provider is present:
- In the Multi-Factor Authentication navigation menu, click Providers.
- Select a provider in the list of MFA providers to open its settings.
- In the navigation menu for the MFA Provider, click Server Settings.
- In the MFA Provider’s Server Settings, follow the Generate link.
- In the scenario of Hybrid Identity:
- In the Multi-Factor Authentication navigation menu, click Server settings.
- Follow the Generate link.
- Copy the generated activation credentials into the Multi-Factor Authentication Server management user interface.
- Click Activate within 10 minutes of generating the credentials, as the credentials automatically expire after this time period.
- In the Multi-Factor Authentication Server pop-up window (depicted above), click Yes to enable and configure replication by running the Multi-Server Configuration Wizard.
The Multi-Server Configuration Wizard appears (see the above screenshot).
- On the Enable Replication Between Servers, click Next >.
- On the Secure Communication page, unselect the Certificates option.
- Click Next >.
- On the Active Directory page, click Next >.
- On the Multi-Server Configuration Complete page, click Finish.
The server will reboot.
Step 2: Configure AD Sync on MFA1
The central MFA Server component uses its own database to store information on user objects. The best approach in a Microsoft-oriented environment is to configure automatic synchronization of user objects from Active Directory to MFA Server’s phonefactor.pfdata database.
After installation and reboot, perform these steps on Windows Server MFA1 to configure Active Directory synchronization:
- Sign into Windows Server MFA1, using an account that is a member of the Domain Admins group and assigned local administrative privileges on the server.
- Open the Multi-Factor Authentication Server management user interface from the Start Menu.
- In the left icon pane, select Directory Integration.
- Navigate to the Synchronization tab:
- On the Synchronization tab, enable the Enable synchronization with Active Directory option. Additionally, enable the Remove users no longer in Active Directory option.
Step 3: Configure the Web Service SDK on MFA1
To allow other MFA Server components, like the MFA User Portal and the MFA AD FS Adapter, to communicate with the central MFA Server component, install and configure Internet Information Services (IIS) and the Web Service Software Development Kit (SDK) on Windows Server MFA1:
- Open an elevated PowerShell window, and execute the following line of PowerShell:Install-WindowsFeature Web-WebServer,Web-Http-Redirect,
Web-Basic-Auth,Web-Asp-Net45,Web-Metabase -IncludeManagementTools - Close the PowerShell window.
- Open the Multi-Factor Authentication Server management user interface from the Start Menu.
- In the left icon pane, select Web Service SDK.
- Click the Install Web Service SDK… button.
The Multi-Factor Authentication Web Service SDK window appears (see above).
- On the Select Installation Address click Next >.
- On the Installation Complete page, click Close.
- Close the Multi-Factor Authentication Server management user interface.
Step 4: Create the Web Service SDK service account and configure the service
To accommodate authentication to the Web Service SDK, a service account is needed, that is also a member of the PhoneFactor Admins group. Then, the Web Service SDK Application Pool needs to be configured with this service account.
Perform these steps on a Domain Controller, a domain-joined Windows Server with the Active Directory Domain Services Remote Server Administration Tools (RSAT) or a domain-joined Windows installation with the Remote Server Administration Tools (RSAT) installed:
- Use an account that is a member of the Domain Admins group, or has delegated permissions to create user objects in Active Directory.
- Open the Active Directory Administrative Center from the Start Menu.
- At the top of the left navigation menu, switch to Tree view.
- Navigate to the Users container.
- In an empty space, right-click and select New, then User from the context menu.
The Create User: window appears, as depicted above.
- Type a Full name: and User SamAccountName: for the service account.
- Type the password for the service account twice.
- Select the Other password options option, and select Password never expires.
- Select the Protect from accidental deletion option.
- Scroll down to the Member Of section.
- Click the Add… button.
The Select Groups pop-up window appears (see above).
- Type the PhoneFactor Admins group.
- Click Check Names.
- Click OK.
- Click OK to create the service account.
- Sign out.
Perform the following steps on Windows Server MFA1:
- Sign into Windows Server MFA1, using an account that is a member of the local administrators group.
- Open the Internet Information Services (IIS) Manager from the Start Menu.
- In the left navigation menu of IIS Manager, expand the Sites node.
- Select the Default Web Site.
- In the Actions pane to the right, click Bindings….
- In the Site Bindings pop-up window, click Add…
- In the Add Site Binding add a binding for https. Select the appropriate TLS certificate and click OK.
- Back in the Site Binding window, click Close.
- In the left navigation menu of IIS Manager, expand the Application Pools node.
- In the main pane, select the MultiFactorAuthWebServiceSDK application pool.
- In the Actions pane on the right, click Advanced Settings…
- From the list of settings, under Process Model, select Identity.
- Click the button with the three dots to the right of ApplicationPoolIdentity.The Application Pool Identity window appears.
- Select Custom account.Click Set….
The Set Credentials pop-up window appears (see above).
- Enter the User name: of the Web Service SDK service account in the format DOMAIN\ServiceAccount.
- Enter the password for the service account twice.
- Click OK.
- Click OK.
- Click OK.
- Close Internet Information Services (IIS) Manager.
The Web Service SDK is now available via the following url: https://mfa1.domain.tld/multifactorauthwebservicesdk/
Step 5: Install the User Portal on WEB1
The MFA Server User Portal allows administrators, delegated service desk personnel and end-users to modify MFA settings and preferences. The User Portal will be installed on a separate Windows Server-based web server: WEB1.
Perform the following steps on Windows Server MFA1 to get the Multi-Factor Authentication Server User Portal Installer to Windows Server WEB1:
- Open File Explorer.
- Navigate to the installation folder of MFA Server. By default, this location is:
C:\Program Files\Multi-Factor Authentication Server\ - Copy MultiFactorAuthenticationUserPortalSetup64.msi.
- Paste the Multi-Factor Authentication Server User Portal Installer on the disk of Windows Server WEB1.
- Close File Explorer.
- Sign out.
Perform these steps to install MFA Server’s User Portal on Windows Server WEB1:
- Sign into Windows Server WEB1, using an account that is a member of the local administrators group.
- Open an elevated PowerShell window, and execute the
following line of
PowerShell:Install-WindowsFeature Web-WebServer,Web-Asp-Net45,Web-Metabase -IncludeManagementTools - Close the PowerShell window.
- Open File Explorer.
- Navigate to the folder where you’ve placed the Multi-Factor Authentication Server User Portal Installer
file: - Double-click MultiFactorAuthenticationUserPortalSetup64.msi.
The Multi-Factor Authentication User Portal appears (see above).
- On the Select Installation Address page, click Next >.
- On the Installation Complete page, click Close.
- Open the Internet Information Services (IIS) Manager from
the Start Menu. - In the left navigation menu of IIS Manager, expand
the Sites node. - Select the Default Web Site.
- In the Actions pane to the right, click
Bindings…. - In the Site Bindings pop-up window, click Add…
- In the Add Site Binding add a binding for https. Select the appropriate TLS certificate and click OK.
- Back in the Site Binding window, click Close.
- Close Internet Information Services (IIS) Manager.
- Switch to the File Explorer window.
- Navigate to the file location with the User Portal files. By default, this location is:
C:\inetpub\wwwroot\MultiFactorAuth
- Open Web.Config in Notepad.
- In the appSettings section, make four changes:
- On line 9, change the value for USE_WEB_SERVICE_SDK from "false" to "true".
- On line 10, add the domain name and username for the service account that runs the application pool of the Web Service SDK, i.e. DOMAIN/Svc_MFASDK.
- On line 11, add the password.
- On line 60, in the ApplicationSettings section, change https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
to the url of the Web Service SDK, i.e. https://mfa1.domain.tld/multifactorauthwebservicesdk/PfWsSDK.asmx
- From Notepad’s File menu, select Save.
- From Notepad’s File menu, select Exit.
- Close File Explorer.
- Sign out.
The MFA User Portal is now available via the following url:
https://web1.domain.tld/multifactorauth
Concluding
Having written how to install and configure MFA Server 6.3 on 4Sysops.com four years ago, I’m amazed how much easier it is today to install Microsoft’s on-premises Azure Multi-Factor Authentication (MFA) Server, today.
Related blogposts
Supported Azure MFA Server Deployment Scenarios and their pros and cons
Connecting to Azure MFA Server’s Web Service SDK using certificate authentication
Choosing the right Azure MFA authentication methods
Azure Multi-Factor Authentication Server 8.0.1.1 was released
Did an upgrade from 6.3 to 8.0 by joining the 8.0 to the 6.3 farm. Indeed the installation is so much easier and really smooth. Also the transfer from 6.3 to 8.0 went very smooth. Do you have any idea or rumours how long MFA Server will be available 🙂 ?
Hi Eric,
Last week, Microsoft announced that Azure MFA Server will no longer be available for new deployments per July 1, 2019.
Find out how to uninstall and remove MFA Server from your networks.
Hi!
Is the MFA Server have an API? For user management.
Hi Ev,
Unfortunately not.
This is one of the ten Things I think you need to know about Azure Multi-Factor Authentication Server.