Two-factor authentication for AD FS on Windows Server 2016, 2019 and 2022

Table of Contents Related Articles

Windows Server 2016, 2019 and 2022
This guide is for installing the LoginTC AD FS Connector on Windows Server 2016, 2019 and 2022. For AD FS on Windows Server 2012 R2, see Two factor authentication for Active Directory Federation Services (AD FS) on Windows Server 2012 R2.

Native Entra ID LoginTC MFA
Integrate LoginTC natively with External Authentication Method for Entra ID / Azure AD. No additional on-premises infrastructure required. See Microsoft Entra ID External Authentication Methods (EAM) for more information.

Overview

The LoginTC AD FS Connector protects access to your Microsoft Active Directory Federation Services (AD FS) by adding a second factor LoginTC challenge to existing username and password authentication. The LoginTC AD FS Connector provides a LoginTC multi-factor authentication (MFA) method to your AD FS deployment.

Subscription Requirement
Your organization requires the Business or Enterprise plan to use the LoginTC AD FS Connector. See the Pricing page for more information about subscription options.

User Experience

After entering the username and password into the AD FS login, the user is shown a selection of second factor options. The user clicks a button to receive a LoginTC push notification, authenticates and is logged in.

Video Instructions
Architecture

Authentication Flow

  1. A user attempts access to AD FS protected service with username / password
  2. A SAML request is made to AD FS
  3. The username / password is verified against an existing first factor directory (i.e. Active Directory)
  4. The request is trapped by LoginTC AD FS Connector and an authentication request is made to LoginTC Cloud Services
  5. Secure push notification request sent to the user’s mobile or desktop device
  6. User response (approval or denial of request) sent to LoginTC Cloud Services
  7. The LoginTC AD FS Connector validates the user response
  8. User is granted access to AD FS protected service

Prefer Reading a PDF?
Download a PDF file with configuration instructions:

Prerequisites

Before proceeding, please ensure you have the following:

  • LoginTC Admin Panel account
  • Microsoft Windows Server 2016, Windows Server 2019 or Windows Server 2022
  • Active Directory Federation Services (AD FS) role

Working AD FS Deployment
It is strongly recommended that you have a working and tested AD FS deployment with at least one service prior to adding LoginTC authentication.

Create Application

Start by creating a LoginTC Application for your deployment. An Application represents a service (e.g. An application is a service (e.g., VPN or web application) that you want to protect. e) that you want to protect with LoginTC.

Create a LoginTC Application in LoginTC Admin Panel, follow Create Application Steps.

If you have already created a LoginTC Application for your deployment, then you may skip this section and proceed to Installation.

Normalize Usernames
Usernames in ADFS are typically in the form “CORP\john.doe”, while in the LoginTC Admin Panel it is generally more convenient to simply use “john.doe”.

Configure Normalize Usernames from the Domain settings by navigating to Domains > Your Domain > Settings.

Select Yes, Normalize Usernames scroll down and click Update.

Installation
  1. Download the latest version of the LoginTC AD FS Connector
  2. Run the installer file as a privileged administrator user on the Windows Server with the AD FS role. Also ensure that the AD FS service is running prior to installing.
  3. Press Next
  4. Read the License Agreement and press Next if you accept the terms.
  5. Change the LoginTC API Host only if you have a private enterprise LoginTC deployment. Press Next:
  6. Enter your LoginTC Application ID and Application API Key. These values are found on your LoginTC Admin Panel. Press Next
  7. Press Install. Note that the AD FS service will be restarted during installation and may be temporarily unavailable to your users.
Configuration for ADFS MFA

To configure your AD FS to use the LoginTC MFA method:

  1. Open the AD FS Management console.
  2. Click on the Service > Authentication Methods directory in the left side menu.
  3. Click on Edit Multi-factor Authentication Methods
  4. Check LoginTC in the list of MFA methods.
  5. Click on Relying Party Trusts in the left side menu
  6. Select the Relying Party you wish to add LoginTC MFA to
  7. Click on Edit Access Control Policy… under Actions in the right sidebar
  8. Select an access control policy that uses MFA (e.g. Permit everyone and require MFA)
  9. Press Apply and OK

Windows Server 2019
If you are installing the LoginTC AD FS Connector on Windows Server 2019 you are required to run the following PowerShell command to allow the AD FS login page to embed the LoginTC authentication options:

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "frame-src 'self' https://cloud.logintc.com"


Your AD FS login will now present the user with a secondary LoginTC authentication page.

Usage

User Usage

Users continue using AD FS-protected services as they did before, except now when they log in they will be presented with a second step to perform LoginTC authentication before they can access their AD FS-protected services.

After successfully authenticating with their username and password, the user is presented with options to log in with LoginTC. The user may select to authenticate using LoginTC push, bypass codes, or OTPs. The page is presented to the user in French or English depending on the user’s system and browser language settings.

If the user selects LoginTC push, they are informed to approve the LoginTC request on their device. The user is also presented with an option to remember their LoginTC login choice. The next time the user logs in they will automatically receive a LoginTC push notification. The user may also cancel the login attempt and return to the login page.

Logging

The LoginTC AD FS Connector logs events to the Microsoft Event Viewer under Applications and Service Logs → LoginTC. In some cases, it may be helpful to also look at the general AD FS logs under Custom Views → ServerRoles → Active Directory Federation Services.

Uninstallation

To uninstall the LoginTC AD FS Connector, simply navigate to the Add or remove programs in the Windows Control Panel, find LoginTC AD FS Connector in the list and follow the prompts.

Prior to Uninstalling
Prior to uninstalling the LoginTC AD FS Connector, ensure that the LoginTC MFA method is not being used in any of your AD FS authentication policies. The uninstallation will fail if the LoginTC MFA method is being used in any of your AD FS authentication policies.

Troubleshooting

Email Support
For any additional help please email support@cyphercor.com. Expect a speedy reply.

Related Connectors

You may also be interested in our:

Start your free trial today. No credit card required.

Sign up and Go

By continuing to use our website, you acknowledge the use of cookies. Privacy Policy Close