How to setup 2-factor authentication with One-Time-Passwords delivered by Email
Rohos Logon Key allows to protect Windows Terminal Server by using 2-factor authentication with One-Time-Passwords. Using Google authenticator as OTP generator requires to deliver and store OTP secret key on the mobile device of end-user in mobile email, SMS or Google Authenticator application.
In order to improve security you can setup your Windows Server to generate and deliver One-Time-Password to the end-user by using SMS messages or Email which is also reliable and free. With this feature there is no need to send OTP secret key and setup Google Authenticator on mobile device of end user.
How to setup OTP delivery by Email
To setup Rohos Logon Key on Windows Terminal Server read here>
Requirements:
- Windows 2012 Server or newer;
- PowerShell v.3 or higher (built in into Windows 2012 and higher)
- Script execution policy is enabled;
In order to enable it run “Set-ExecutionPolicy -ExecutionPolicy RemoteSigned” command in PowerShell. You need to run both PowerShell and PowerShell (x86) as Admin and execute this command: - User accounts has a valid e-mail in account General properties
How does it work:
Open options and ensure you have OtpDeliveryScript.ps1 in Delivery script option:
Click Edit to open OtpDeliveryScript.ps1 file and edit Email options such as smtp server, email and password credentials for the mailbox that will be used to send emails:
- $NotifyByEmail = $true
- $SmtpServer
- $SmtpPort
- $SmtpLogin
- $SmtpPassword
- $EmailFrom
- $Subject
Save the script.
To test the delivery you need to configure an OTP for a test user. Execute “Setup OTP logon” command. Select desired user, choose “By e-mail or SMS” and write desired e-mail address. Fill in the password field if necessary and click Enable OTP logon.
Now click “OTP Settings ” dialog and test OTP delivery and select the user. Click Test delivery button.
Now you can receive a mail notification about blocked sign-in attempt. You have to allow access to less secure apps.
Now execute a test delivery again.
You can also edit and debug OtpDeliveryScript.ps1 in PowerShell ISE in order to customize Subject and Email body and then ensure that script is running well.
Notes:
- Script writes output to console that includes successfully configured users and notification email address;
- Depending on the 2FA control type selected in Rohos (if set to “for user group in AD”) you need to add these users also into 2FA group name specified in Rohos Logon in order to apply 2FA control on Windows Terminal Server or workstations;
- In order to use gmail, office365 as email delivery service you need to setup your gmail settings: “Allow less secure apps”
https://support.google.com/accounts/answer/6010255?hl=en
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3
Known issues:
- “The SMTP server requires a secure connection or the client was not authenticated. The server response”. Allow “less secure apps” access on your mail service provider.
- “Set-ExecutionPolicy -ExecutionPolicy RemoteSigned” needs to be allowed to x86 and x64 PoweShell ISE.
- PowerShell error : “The term ‘Get-ADUser’ is not recognized as the name of a cmdlet.. “. Please look at OtpDeliveryScript.ps1 on how to enable Get-ADUser.
To setup SMS delivery:
Find string:
$SmsGatewayUrl = “https://api.clickatell.com/http/sendmsg?api_id=xxxx&user=xxxx&password=xxxx&to=$($AdUserName.telephoneNumber)&text=$($SmsNotificationText)”
And customize URL so that it should be your SMS provider HTTP API url;
Both $($AdUserName.telephoneNumber) and $($AdUserName.telephoneNumber) are script variables and you should not touch them;
You may select user from Left or enter Email/Phone and click “test delivery” button to sent OTP code by using configured delivery method.
Setting up user account with 2FA by OTP
- Open Rohos Logon Key > Setup OTP token
- Choose user account
- Choose “By Email or SMS” and enter “email” into edit field.
(On actual authentication case – Rohos get user e-mail from account properties) - Click Enable OTP login
Done!
Dont forget to setup 2FA policy by setting one of options under “Allows to login by using the Key”.
Read more about using Rohos Logon Key on Windows Terminal Server – read here>