Documentation

  • + -

    Video introduction to SMS2 & Two Factor Authentication

    Today we discuss what SMS2 is, why it’s important to you and how to use it effectively.

  • + -

    How to install SMS2

    1. Ensure prerequisites are installed.To install SMS2, please make sure you have the following properly installed and configured:

    If you haven’t done so already, please download SMS2. You can request a copy of SMS2 here.

     

    2. Run the setup program as the administrator.

    To do so, Right Click on the setup file and click “Run as administrator”.

     

    3. Welcome to setup. Click next.

     

    4. Select the options you wish to install.

    SMS2 comes with three core service requirements: AuthEngine Service, CloudSMS Service, OATHCalc Service. All three are needed for SMS2 to run properly. Though you can choose not to install them if you are installing other components such as AdminGUI or RADIUS extensions which can connect to another SMS2 Server over the network.

    The Citrix Web Interface Extensions can be installed in order to extend the Citrix Web Interface and remove the need for RADIUS if you wish. These extensions would normally be used if you are deploying a Citrix Access Gateway with authentication through the Web Interface or you are deploying a Citrix Secure Gateway.

     

    5. Select the client applications that you need.

    Most installations will only need the AdminGUI, as it’s used by users to change their own per user settings within SMS2.

     

    6. Choose the installation path; click next.

     

    7. Confirm the installation and click next.

     

    8. Configure network settings.

    While the default settings will work for most installations, you may need to change the settings in certain situations. For example, if you are deploying SMS2 to protect multiple XenApp or XenDesktop server, it would be well advised to set the servers LAN IP address manually rather than the ‘localhost’ or ’127.0.0.1′ loopback address.

    If you are running a multiserver deployment of XenApp or XenDesktop please change the network address to the server’s LAN IP address.

     

    9. Set the Active Directory and Text Local (CloudSMS) credentials.

    You should provide SMS2 with a service account that can be used to query for users within Active Directory. You should not use the administrator account since it will stop working once the admin password is changed.

    If you wish to send text message for authentication, please supply a username and password for “Text Local”. Future releases will support other providers.

     

    10. Set SQL server details.

    You can use SQL Server Express or Enterprise. Both local and network installations are supported.

     

    10.1. Example SQL server setup.

    In this example we’ll use a local SQL Express server setup with integrated security. Note that no username, password, or part are needed for this type of connection.

     

    10.2. Ensure the connection to SQL works.

    You can click on the “Test Connection” button in-order to test configuration settings. If you see “Test successful” that means everything works. If not, check your settings and SQL installation are properly configured.

     

    10.3. Click done when ready to move on.

     

    11. Ensure setup options are as expected.

     

    12. Select the installation location of your Citrix Web Interface 5.x.

    This screen will only appear if you are installing the Web Interface extensions.

     

    13. Complete install.

     

    14. Install the supplied trial license (if you don’t have your own yet).

    We give you a trial license with your installation of SMS2. You need to register for a full license. Registration (and the full license) is free at www.wrightcss.com

    14.1. Copy the supplied trial license.

     

    14.2. Copy the trial license into the “Settings” folder inside the SMS2 installation directory.

    By default, SMS2 will install into c:Program FilesWright … Inside you’ll find the “Settings folder”. Copy the license file into this folder.

     

    14.3. If you’re asked, overwrite the license file that is already in the Settings folder.

     

    15. In the settings folder, open the ‘configuration.xml’ file.

    Using your favourite text editor, open ‘configuration.xml’. You can use NotePad to open this file.

     

    16. If you want Authentication to be enabled by default, change the settings here.

     

    17. (Optional) Setup Authentication Defaults Exceptions.

    You can set exceptions to the default rules for Authentication. These will do the opposite of the previously set Authentication setting.

    For example, if ‘authengine default’ was set to yes, users within this exception group would not use SMS2; they would not have two factor authentication enabled because it’s the opposite of the default setting. On the other hand, if ‘authengine default’ were set to no, then users within this group would use SMS2 while everyone else would not.

    By using this with the Web Interface extensions, these settings allow SMS2 to be used for only a small subset of users such as teachers or finance staff or off for a specific group.

    We suggest you either change the group name to either “SMS2-Users” or “No-SMS2″ depending on your needs. Then create an active directory group for them.

     

    18. Double check the TextLocal and Active Directory credentials.

    Make sure the credentials you entered during setup are correct.

     

    19. Save the configuration.xml file and load “services.msc”

    “service.msc” can be opened through the Windows Run dialog.

     

    20. Start the AuthEngine service.

    If you made changes to the TextLocal username/password you should restart CloudSMS as well.

     

    21. Check to make sure all the services are started.

     

    22. Load the AdminGUI application.

    22.1 Make sure you’re running AdminGUI as a regular domain user.

    AdminGUI will not run as a local administrator nor local user. So make sure you’re running it as a regular domain user user.

    AdminGUI uses passthrough authentication to ensure you are the user which you claim to be. Each time it’s opened it will actively authenticate the user before allowing access to the console. Since SMS2 has been configured to use Active Directory, it will not allow local user accounts to authenticate.

    The benefit of this is that AdminGUI can be published via XenApp to all users. This will allow them to enter their own credentials therefor significantly reducing the burden on the IT department.

     

    22.2. If there is no AdminGUI shortcut, create a link to it from the folder shown.

     

    23. SMS2 Setup Complete! Welcome to SMS2.

    SMS2 is now setup. Enabled users who login via the Web Interface (if you installed the extensions) will get passcodes sent to their mobile phones. They will have to set their mobile number in the AdminGui.

  • + -

    Changing the length of a user’s PIN code

    1. Open the Configuration.xml file.

    Navigate to the Settings folder inside the installation folder (usually under c:/Program Files/Wright/Settings), then open ‘configuration.xml’ with your favorite text editor (such as Notepad).

    2. Change the XML line tagged “AuthEnginePinCodeLength”.

    3. Save the file.

    4. Restart the “AuthEngine” service after making the configuration changes.

    “service.msc” can be opened through the Windows Run dialog. Once that is open, click to restart the “Wright AuthEngine”.

    5. PIN code lengths are enforced within the Admin Console.

  • + -

    How To Change The Numeric Base Of The Generated Token Codes

    To increase security, you can change the base used for generating text message / SMS tokens.

    For example, for Base10 there are 1 million possible token combinations. For Base32, there are 1 thousand million possible token combinations.

    The operation of OATH tokens will not change.

    1. Open the Configuration.xml file.

    Navigate to the Settings folder inside the installation folder (usually under c:/Program Files/Wright/Settings), then open ‘configuration.xml’ with your favorite text editor (such as Notepad).

    2. Edit AuthEngineKeyBase.

    3. Save the configuration file.

    4. Restart the “AuthEngine” service after making the configuration changes.

    “service.msc” can be opened through the Windows Run dialog. Once that is open, click to restart the “Wright AuthEngine”.

    5. This is the Alphabet used for Base32.

    The padding character is not used.

  • + -

    Use SMS2 To Accept PIN & Token As Single Value (No Challenge/Response)

    1. Open the Configuration.xml file.

    Navigate to the Settings folder inside the installation folder (usually under c:/Program Files/Wright/Settings), then open ‘configuration.xml’ with your favorite text editor (such as Notepad).

    2. Set the AuthEnginePinCodeTokenSeparated to “False”.

    The challenge / response is turned on and off using the “AuthEnginePinCodeTokenSeparated” setting. Change “AuthEnginePinCodeTokenSeparated” to either “True” or “False”. “True” will turn it on, and “False” will turn it off.

    3. Change the CloudSMS Token Expiry Time.

    Challenge / response CloudSMS tokens (text message tokens) are sent immediately after the username, password, PIN authentication page. This isn’t possible when the token needs to be input on the first authentication page. The solution is to increase the token’s expiry time and send the user a message with their next token.

    The value is in minutes. There are 1,440 minutes in a day. 10,080 in a week. 40,320 minutes in four weeks.

    4. Generate a new text / SMS message when the login is refused due to an incorrect PIN (as apposed to an incorrect token code).

    If “NotifyPinCodeIncorrectOnAccess” is “False” then a new token will be sent via text / SMS message every time authentication fails for any reason.
    If “NotifyPinCodeIncorrectOnAccess” is “True” then a new token will only be sent if the token code was incorrect but the PIN code was correct.
    We recommend you set this value to “True”.

    5. Change the text on the text / SMS message.

    This screen is available to SMS2 admins by opening “Admin Console” and selecting “configuration”.
    You should change the text to something similar to “Your next passcode is: {passcode}”.

    6. Send yourself an initial token.

    This screen is in the SMS2 “Admin Console” under “Configuration” and is available to all users.
    If users do not send themselves an initial token, one will be sent automatically when they attempt their first login.

    7. Restart AuthEngine.

    “service.msc” can be opened through the Windows Run dialog.

    8. Attemp a login using NTRanPing to check RADIUS is working as planned.

    Note the “Access-Accept” message indicating authentication was successful.

  • + -

    Configure SMS2 to perform challenge response authentication

    When using “Challenge Response Authentication” your CAG / Netscaler (or other) device will ask (challenge) you for your token PIN right after login, rather than on the login page.

    1. Open the Configuration.xml file.

    Navigate to the Settings folder inside the  installation folder (usually under c:/Program Files/Wright/Settings), then open ‘configuration.xml’ with your a text editor (such as Notepad).

    2. Set AuthEnginePinCodeTokenSeparated to “True”.

    3. Set NotifyPinCodeIncorrectOnAccess to “True”.

    While having this setting on “False” may possibly increase security, it may also significantly confuse your users when they forget their PIN.

    4. Change the text message text if using challenge / response.

    When a user goes from the first login screen (the username, password, PIN screen) to the second login screen (where they enter the challenge response), the system sends a text / SMS message with the challenge response (code). Make sure this message is easily understand. We recommend using a simple message such as: “Your passcode for this login is: XYZ”. The screen shown is found in the “configuration” menu, in “Admin Console”. (You can only change this screen if you’re an Admin user within SMS2.)

    5. Restart the “AuthEngine” service after making the configuration changes.

    “service.msc” can be opened through the Windows Run dialog.

    6. Test RADIUS challenge / response.

    Before rolling this out into your full production environment, it’s a good idea to test and make sure everything works. In-order to test our systems we use NTRadPing, this a free software application that is available from http://www.mastersoft-group.com/download/

    If you correctly supply the username and PIN code you’ll get a response of “Access-Challenge” and a “State”. If you supply an incorrect PIN and “NotifyPinCodeIncorrectOnAccess” is set to “True” you’ll get an “Access-Reject” message. If you supply an incorrect PIN and “NotifyPinCodeIncorrectOnAccess” is set to “False” you will get an “Access-Challenge”, but no matter how you respond to the challenge the overall authentication process will fail as the PIN was wrong. Although this functionality can prevent attackers from knowing if a failure was due to an incorrect PIN or token we recommend having “NotifyPinCodeIncorrectOnAccess” set to true “True”.

    7. Reply to the challenge.

    We need to reply to the server with the state code we were issued (we do this so the server knows we are replying to a challenge). Add the state code provided and put the current token value into the password box, click Send.
    Note the “Access-Accept” message indicating success.

    Now we know RADIUS challenge / response is working we can configure Citrix Access Gateway, NetScaler, or any other product as required.

    8. After you’ve followed this process your login should look like this.

    9. This is the new screen that challenge / response adds.

    Challenge / Response on the iPhone/iPad is not supported at this time.

  • + -

    Remove duplicate text/SMS message tokens cause by slow RADIUS replies

    When you make a RADIUS request to SMS2 and the user is using CloudSMS, the token will be sent to the user prior to the RADIUS request returning. If your DNS, HTTPS connections, or network causes a delay then the RADIUS request is likely to timeout.
    When a RADIUS request timeout occurs the device trying to use RADIUS normally retries 2-3 times, and this causes not only duplicate token requests but the user becomes confused as many tokens arrive at the same time on their phone and they don’t know which to use. This guide talks about how this problem can be resolved.

    1. Increase the minimum time between RADIUS requests (per user).

    “MinTimeBetweenRadiusRequestsPerUser” sets the minimum amount of time that should normally pass between unique RADIUS requests for a single user. During this time period additional text / SMS messages will not be sent to the user, the “State” value returned by RADIUS for challenge response will remain the same, and subsequent authentication requests will be assumed to be the same request.
    Login failures override this value. If during the minimum time period specified above a user authenticates using incorrect details the next authentication request will be treated as a unique request.
    You should increase this value until the problem stops. You should also investigate your network for the source of the delay – usually slow DNS lookups and the text message provider having gone from the cache or something delaying the https connection to the provider.

    2. Restart AuthEngine after changing this value.

    3. Restart NPS / IAS

  • + -

    Using NPS server as a RADIUS server with NetScaler

    1) Open the default install of NPS,
    Double click on “Connections to other access servers”.

    2) Change the access permission to “Grant Access.”

    3) Input basic settings to use your NetScalar as a RADIUS client.

    4) Add the NPS server as a RADIUS server with NetScaler.

    5) Configure a RADIUS policy with the expression ns_true – use the RADIUS server you just configured.

    6) Select your virtual server and add the RADIUS policy as a secondary authentication policy.

  • + -

    How to modify the SMS2 configuration files

    Open “c:\Program Files\WrightCCS2\Settings\ Configuration.xml” with notepad

    SMS2 configuration changes

    After making the required changes save the file and AuthEngine will automatically restart

    SMS2 configuration changes

    If any issues occur or you wish to restart the services manually they can be found here

    AuthEngine is the main SMS2 control process handling all incoming connections.

    CloudSMS handles text messages and communicates with local GSM modems and cloud based text message services.

    OATHCalc processes OATH calculations for HOTP and TOTP tokens such as Feitian hardware tokens (we sell these!) and Google Authenticator.

    SMS2 configuration changes

  • + -

    How do I use the SMS2 Admin Console on a remote server?

    The SMS2 Admin Console can be run remotely by end users, who will see only options for their own user account.

    The Admin Console connects to the SMS2 AuthEngine service on TCP port 9060 and Admin Console can be installed onto multiple computer or servers, such as a XenApp farm.

    How do I use the SMS2 Admin Console on a remote server-

    Making AuthEngine reachable to remote servers

    By default AuthEngine is only listening on TCP port 9060 on the loopback interface (127.0.0.1)

    How do I use the SMS2 Admin Console on a remote server-

    The listening IP address can be changed to the IPv4 address of the server

    How do I use the SMS2 Admin Console on a remote server-

    It can also be set to 0.0.0.0 to listen on all IP addresses

    How do I use the SMS2 Admin Console on a remote server-

    Client configuration

    A “SettingsPublic” directory contains a second configuration.xml file used by unprivileged clients including “Admin Console”, “NPS/IAS Plugin”, and the “Citrix Web Interface plugin”.

    If you have reconfigured the listening IP for AuthEngine you will also need to edit the SettingsPublic\configuration.xml file on each client so that clients will connect to a valid address.

    How do I use the SMS2 Admin Console on a remote server-

  • + -

    How often does SMS2 poll Active Directory and how can I change this?

    The AuthEngine service polls Active Directory when it starts or restarts, on a definable interval, and when an SMS2 admin elects to do so.

    The definable polling interval can be set within configuration.xml and is a numeric value representing minutes. 40 would poll for AD updates every 40 minutes, 240 would be four hours.

    How often does SMS2 poll Active Directory and how can I change this-

    An SMS2 administrator can cause an immediate AD poll with the configuration menu of Admin Console

    How often does SMS2 poll Active Directory and how can I change this-

    To cause an immediate AD poll select “Other functions” and then “Poll Users”

    How often does SMS2 poll Active Directory and how can I change this-

  • + -

    Can we lockdown Admin Console so that users can move from text message to Google Authenticator but can't move back?

    Yes. AuthEngine has a lockdown mode that will allow a user to choose their provider (Google Auth, text message, etc) only once via Admin Console and will then lock the console to prevent further changes by the user. The SMS2 administrator will be able to unlock the user or make changes for them.

    Can we lockdown Admin Console so that users can move from text message to Google Authenticator but can't move back-

    Admin Console with AuthEngineLockDownMode set to False

    Note – this screenshot is the Admin Console as viewed by an SMS2 administrator, it is for this reason we see multiple users and the emergency token button.

    Can we lockdown Admin Console so that users can move from text message to Google Authenticator but can't move back-

    To active the lockdown mode set AuthEngineLockDownMode to True

    Can we lockdown Admin Console so that users can move from text message to Google Authenticator but can't move back-

    Lockdown mode is active but the configuration menu for this user is not locked.

    Note – this screenshot is the Admin Console as viewed by a normal user, it is for this reason we do not see multiple users or the emergency token button.

    Can we lockdown Admin Console so that users can move from text message to Google Authenticator but can't move back-

    Within the configuration menu the user can set their provider and select ‘Save Configuration’

    Can we lockdown Admin Console so that users can move from text message to Google Authenticator but can't move back-

    Once the user has saved the configuration the menu will become grey and will not allow further changes

    Can we lockdown Admin Console so that users can move from text message to Google Authenticator but can't move back-

    The configuration menu is now locked and the user cannot change provider without contacting an SMS2 administrator

    Can we lockdown Admin Console so that users can move from text message to Google Authenticator but can't move back-

  • + -

    How can I hide or disable a provider within Admin Console?

    Note that some of the providers here have been renamed, there is a different article on this.

    How can I hide or disable a provider within Admin Console-

    There is a definition for each provider within configuration.xml

    How can I hide or disable a provider within Admin Console-

    Change “True” to “False” to disable a provider

    How can I hide or disable a provider within Admin Console-

    Reopening Admin Console will show the provider has been disabled

    How can I hide or disable a provider within Admin Console-

    Multiple providers can be disabled

    How can I hide or disable a provider within Admin Console-

  • + -

    How can I rename a provider within the Admin Console?

    The Admin Console has a number of providers and each can be renamed.

    How can I rename a Provider within the Admin Console-

    The providers are defined within configuration.xml and each has a “FriendlyName” attribute.

    How can I rename a Provider within the Admin Console-

    The FriendName attribute can be set to any text string.

    How can I rename a Provider within the Admin Console-

    The provider names are provided each time Admin Console in launched and will immediately update on all clients without any further changes.

    How can I rename a Provider within the Admin Console-

    Each provider can be renamed in the same way.

    How can I rename a Provider within the Admin Console-

  • + -

    How can our helpdesk generate emergency onetime use passcodes?

    An SMS2 administrator can see all users within the Admin Console

    How can our helpdesk generate emergency one-time use passcodes-

    To allow emergency passcodes set the value below in configuration.xml to True

    How can our helpdesk generate emergency one-time use passcodes-

    Admin Console will now show an “Emergency Token” button to SMS2 administrators

    How can our helpdesk generate emergency one-time use passcodes-

    Pushing the button will generate a one-time use passcode. Only an SMS2 admin can do this. This event will be logged.

    How can our helpdesk generate emergency one-time use passcodes-

  • + -

    How can we bypass two factor authentication for certain users? How can we create a whitelist of people?

    AuthEngineDefaultEnabled declares if SMS2 should be enabled for all users by default.

    How can we bypass two factor authentication for certain users- How can we create a whitelist of people-

    AuthEngineDefaultExceptionGroups defines groups that are an exception the default.

    Assuming “AuthEngineDefaultEnabled” = True, any users within a group listed in “AuthEngineDefaultExceptionGroups” will find AuthEngine is disabled for them – no matter what passcode they supply to RADIUS it will be accepted and our Citrix WI plugin will not prompt these users for a passcode.

    You should change the Active Directory group name in configuration.xml (shown below as “WrightCCS”) to something more meaningful – perhaps “Group for users who can bypass two factor”.

    How can we bypass two factor authentication for certain users- How can we create a whitelist of people-

thời trang trẻ emWordpress Themes Total Freetư vấn xây nhàthời trang trẻ emshop giày nữdownload wordpress pluginsmẫu biệt thự đẹpepichouseáo sơ mi nữHouse Design Blog - Interior Design and Architecture Inspiration