MFA Email Time Based Pass-code Provider v1.0.0.8

Features

Unlicensed version

  • Multi-language UI: English, Spanish, French, German, Chinese, Portuguese, Russian, Italian, Arabic, Turkish, Dutch, Finnish, Swedish, Norwegian, Polish, Danish and Lithuanian.
  • Unlimited user accounts for personal or trial use scenarios.
  • Authorization codes are 19 digits long.
  • Authorization codes are valid up to 60 min.
  • Supports ADFS CSS themes.
  • Authorization code is delivered via e-mail set in user’s AD account attribute.
  • Logs are stored in Windows application log.
  • Runs on ADFS 2016 and ADFS 2019 servers.
  • Supports unlimited users.

Licensed version

  • Authorization codes are 6 digits long.
  • Unlimited user accounts of licensed organization.
  • Authorization code validity can be customised.
  • Allows secure SMTP configuration (SSL) and user authentication options.
  • User interface customizations for provider’s interface.
  • Free version notes are removed.

Release information

Version: 1.0.0.8

· Release date 30/04/2019

· Added extra Language interfaces: Dutch, Finnish, Swedish, Norwegian, Polish, Danish

· Extra information in Event Log on Pass-Code requestor's IP, User-Agent information.


Content

Deploy SecureMFA Email Time Based Pass-code Provider into ADFS Farm

Preparation steps

Before you can start using “SecureMFA Email TBP Provider” in your ADFS farm you must complete bellow steps

1) Download latest “SecureMFA Email TBP Provider” from https://www.securemfa.com/downloads .

2) Content will be downloaded as a zip file. Extract it on the primary ADFS server into “C:\SecureMFAEmailOtpProvider” location.

3) Within the directory update “SecureMFAEmailOtpProvider.json”. If you are using a free license you only need to modify "smtp_server" server settings. If you will buy a license to enable all the features, you will need to update "company" and "serialkey" information to unlock the app.

4) If you need to generate verbose logs in windows events for troubleshooting reasons change verboselog value from “false” to “true”. Please note that verbose logging can affect your servers’ performance, use it only for troubleshooting reasons. Don’t enable “verboselog” in production environments as it may reveal configuration secrets

{
  "company": "MyCompany",
  "serialkey": "m00000000",
  "smtp_server": "smtp.adatum.labnet",
  "smtp_mailfrom": "mfa.no.reply@adatum.labnet",
  "smtp_port": "25",
  "smtp_enablessl": "false",
  "smtp_username": "",
  "smtp_password": "",
  "smtp_remove_user_prefix": "false",
  "auth_code_valid_inteval_seconds": "3600",
  "ui_customization": "false",
  "ui_login_text": "",
  "verboselog": "false",
}

SecureMFA Email TBP Provider Installation

Before a “SecureMFA Email TBP Provider” will be invoked by AD FS, it must be registered in the system. Bellow PowerShell script performs the necessary installation actions including installation in the GAC, and registration in AD FS farm.

Script to install “SecureMFA Email TBP Provider” on primary ADFS node

#Open elevated PowerShell command window on your federation server and execute the following commands
#Note that if you are using federation server farm that uses Windows Internal Database, you must execute these commands on the primary federation server of the farm. You can comment out language resource files if you want provider to fall back into English language for commented out region.
#Bellow commands needs to be executed on one server in ADFS farm
 
#Check if windows events source for application log exist, if not create one.
if ([System.Diagnostics.EventLog]::SourceExists("Secure MFA Email OTP") -eq $False) {New-EventLog -LogName "Application" -Source "Secure MFA Email OTP"}
 
#Remove additional authentication providers from ADFS global policy and unregister SecureMfaEmailOtpProvider
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider ""
unregister-AdfsAuthenticationProvider -Name “SecureMfaEmailOtpProvider” -Confirm:$false
 
#Restart ADFS service
net stop adfssrv
net start adfssrv
 
#Load GAC Assembly
Set-location "c:\SecureMfaEmailOtpProvider"            
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")            
$publish = New-Object System.EnterpriseServices.Internal.Publish  
 
#Remove SecureMfaEmailOtpProvider Languages DLL files from GAC assembly
#Spanish language                 
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\es\SecureMfaEmailOtpProvider.resources.dll") 
#French language                 
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\fr\SecureMfaEmailOtpProvider.resources.dll") 
#German language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\de\SecureMfaEmailOtpProvider.resources.dll")
#Chinese language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\zh\SecureMfaEmailOtpProvider.resources.dll")  
#Portuguese language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\pt\SecureMfaEmailOtpProvider.resources.dll")
#Russian language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\ru\SecureMfaEmailOtpProvider.resources.dll") 
#Italian language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\it\SecureMfaEmailOtpProvider.resources.dll") 
#Arabic language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\ar\SecureMfaEmailOtpProvider.resources.dll") 
#Turkish language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\tr\SecureMfaEmailOtpProvider.resources.dll")  
#Dutch language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\nl\SecureMfaEmailOtpProvider.resources.dll")  
#Finnish language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\fi\SecureMfaEmailOtpProvider.resources.dll")
#Swedish language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\sv\SecureMfaEmailOtpProvider.resources.dll") 
#Norwegian language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\no\SecureMfaEmailOtpProvider.resources.dll") 
#Polish language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\pl\SecureMfaEmailOtpProvider.resources.dll") 
#Danish language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\da\SecureMfaEmailOtpProvider.resources.dll")
#Lithuanian language           
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\lt\SecureMfaEmailOtpProvider.resources.dll")  
 
#Add SecureMfaEmailOtpProvider Languages DLL files to GAC assembly
#Spanish language                 
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\es\SecureMfaEmailOtpProvider.resources.dll") 
#French language                 
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\fr\SecureMfaEmailOtpProvider.resources.dll") 
#German language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\de\SecureMfaEmailOtpProvider.resources.dll")
#Chinese language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\zh\SecureMfaEmailOtpProvider.resources.dll")  
#Portuguese language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\pt\SecureMfaEmailOtpProvider.resources.dll")
#Russian language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\ru\SecureMfaEmailOtpProvider.resources.dll") 
#Italian language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\it\SecureMfaEmailOtpProvider.resources.dll") 
#Arabic language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\ar\SecureMfaEmailOtpProvider.resources.dll") 
#Turkish language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\tr\SecureMfaEmailOtpProvider.resources.dll")  
#Dutch language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\nl\SecureMfaEmailOtpProvider.resources.dll")  
#Finnish language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\fi\SecureMfaEmailOtpProvider.resources.dll")
#Swedish language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\sv\SecureMfaEmailOtpProvider.resources.dll") 
#Norwegian language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\no\SecureMfaEmailOtpProvider.resources.dll") 
#Polish language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\pl\SecureMfaEmailOtpProvider.resources.dll") 
#Danish language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\da\SecureMfaEmailOtpProvider.resources.dll")
#Lithuanian language           
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\lt\SecureMfaEmailOtpProvider.resources.dll")    
 
#Remove SecureMfaEmailOtpProvider DLL from GAC assembly
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.dll")      
 
#Add SecureMfaEmailOtpProvider DLL to GAC assembly         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.dll")     
 
#Register SecureMfaEmailOtpProvider addapter
$typeName = “SecureMfaEmailOtpProvider.AuthenticationAdapter, SecureMfaEmailOtpProvider, Version=1.0.0.7, Culture=neutral, PublicKeyToken=1ecd877c866018d2, processorArchitecture=MSIL”
Register-AdfsAuthenticationProvider -TypeName $typeName -Name “SecureMfaEmailOtpProvider” -ConfigurationFilePath 'C:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.json'
 
#Restart ADFS service
net stop adfssrv
net start adfssrv
 
#Add SecureMfaEmailOtpProvider as additional authentication provider in ADFS
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider "SecureMfaEmailOtpProvider"    
  

Script to install “SecureMFA Email TBP Provider” on other ADFS nodes

If you have more servers in ADFS farm execute following script on remaining nodes.

#Open elevated PowerShell command window on your federation server and execute the following commands
#NOTE: you don't need to register DLL on ADFS proxy servers.
#You can comment out language resource files if you want provider to fall back into English language for commented out region.
 
#Check if windows events source for application log exist, if not create one.
if ([System.Diagnostics.EventLog]::SourceExists("Secure MFA Email OTP") -eq $False) {New-EventLog -LogName "Application" -Source "Secure MFA Email OTP"}
 
#Load GAC Assembly
Set-location "c:\SecureMfaEmailOtpProvider"            
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")            
$publish = New-Object System.EnterpriseServices.Internal.Publish  
 
#Remove SecureMfaEmailOtpProvider Languages DLL files from GAC assembly
#Spanish language                 
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\es\SecureMfaEmailOtpProvider.resources.dll") 
#French language                 
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\fr\SecureMfaEmailOtpProvider.resources.dll") 
#German language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\de\SecureMfaEmailOtpProvider.resources.dll")
#Chinese language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\zh\SecureMfaEmailOtpProvider.resources.dll")  
#Portuguese language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\pt\SecureMfaEmailOtpProvider.resources.dll")
#Russian language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\ru\SecureMfaEmailOtpProvider.resources.dll") 
#Italian language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\it\SecureMfaEmailOtpProvider.resources.dll") 
#Arabic language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\ar\SecureMfaEmailOtpProvider.resources.dll") 
#Turkish language         
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\tr\SecureMfaEmailOtpProvider.resources.dll")  
#Lithuanian language           
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\Languages\lt\SecureMfaEmailOtpProvider.resources.dll")  
 
#Add SecureMfaEmailOtpProvider Languages DLL files to GAC assembly
#Spanish language                 
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\es\SecureMfaEmailOtpProvider.resources.dll") 
#French language                 
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\fr\SecureMfaEmailOtpProvider.resources.dll") 
#German language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\de\SecureMfaEmailOtpProvider.resources.dll")
#Chinese language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\zh\SecureMfaEmailOtpProvider.resources.dll")  
#Portuguese language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\pt\SecureMfaEmailOtpProvider.resources.dll")
#Russian language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\ru\SecureMfaEmailOtpProvider.resources.dll") 
#Italian language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\it\SecureMfaEmailOtpProvider.resources.dll") 
#Arabic language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\ar\SecureMfaEmailOtpProvider.resources.dll") 
#Turkish language         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\tr\SecureMfaEmailOtpProvider.resources.dll")  
#Lithuanian language           
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\Languages\lt\SecureMfaEmailOtpProvider.resources.dll")   
 
#Remove SecureMfaOtpProvider DLL from GAC assembly           
$publish.GacRemove("c:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.dll")       
 
#Add SecureMfaOtpProvider DLL to GAC assembly         
$publish.GacInstall("c:\SecureMfaEmailOtpProvider\SecureMfaEmailOtpProvider.dll")     
 
#Restart ADFS service
net stop adfssrv
net start adfssrv
 
#List all authentication providers
Get-AdfsAuthenticationProvider | select name 
 

Verification

To verify if “SecureMFA Email TBP Provider” has been installed successfully.

1) Open the AD FS Management Snap-in (from Server Manager Tools menu)

2) Click Authentication Policies at left

3) In the center pane, under Multi-Factor Authentication, click the blue Edit link to the right of Global Settings.

Under Select additional authentication methods at the bottom of the page, check if “Email Time Based Authentication Provider” is selected.

ADFS Applications

When you will login into your ADFS application which requires multifactor authentication user will be able to request an authorization code to an e-mail address which is registered with user’s Active Directory account.

Below is print screen of “SecureMFA Email TBP Provider”.

By default, authorization pass-code which will be send to user’s e-mail address is valid up to 1 hour.

User interface customizations

Licensed clients can customize providers text which is presented to the users during logon. You can use simple html code like links to provide users with self-service portal links etc. Text is configured in configuration file “SecureMfaEmailOtpProvider.json” .

SecureMfaEmailOtpProvider.json config settings for user interface customization:

"login_text": "Enter a code received from MFA Email Authenticator.”

You will have to chnage "ui_customization" to be "true" for this change to take effect.

Claims

All successful second factor authentication sessions will issue a new Actual Authentication method value: http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod

With URI: http://schemas.securemfa.com/ws/2012/12/authmethod/emailotp1

Authorization code validity customization

By default authorization pass-code is valid up to 1h. Licensed clients can modify up to time interval by updating “SecureMfaOtpProvider.json” configuration file. Bellow sample sets authorization code validity up to 5 min. Validity time is set in seconds.

"auth_code_valid_inteval_seconds": "300"

SMTP Configuration

By default provider works with default SMTP TCP port 25 and anonymous authentication. You can update SMTP server’s hostname / VIP address and port number (if required) by updating bellow settings in Secure MfaEmailOtpProvider.json file. Change “smtp_mailfrom" address which will appear for users as reply address.

"smtp_server": "smtp.adatum.labnet"
"smtp_port": "25"
"smtp_mailfrom": “mfa.no.reply@adatum.labnet

Licensed providers can enable Secure SMTP connection via SSL and use service account credentials for authentication, by updating bellow settings:

"smtp_enablessl": "true"
"smtp_username": "smtpuser"
"smtp_password": "userpassword"

If you need to hide user’s account prefix information as additional security feature in authorization emails. Set “smtp_remove_user_prefix” in json config file to be “true”

Bellow pictures shows how authorization email looks like with enabled and disabled user’s prefix.

"smtp_remove_user_prefix": "true"
"smtp_remove_user_prefix": "false"

Logs

All provider related logs are stored in Windows Application Event logs

Source: Secure MFA Email OTP

Event ID 6660: Configuration Logs

Event ID 6662: Successful Events

Event ID 6663: Failed Events