Windows Logon plug-in

With ​Akamai​ Windows Logon plug-in, you can add ​Akamai MFA​ as the secondary authentication step to protect all Windows logins including the Remote Desktop Services (RDS). As a result, users when signing in to their Windows accounts have to, first, authenticate themselves using their Windows credentials. Next, ​Akamai MFA​ challenges them with the secondary authentication request using the factor that they enabled on their enrolled mobile device.

See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.

📘

This authentication process refers to users who are enrolled in ​Akamai MFA​.

  1. The user establishes an RDP connection to the Windows server with remote desktop services enabled (further referred to as Windows server).

  2. The Windows server prompts the user to log in using their credentials.

  3. Active Directory confirms that the primary authentication was successful.

  4. Upon successful authentication, the Windows server, using the ​Akamai​ plug-in, establishes a connection over TCP port 443 and redirects the user to ​Akamai MFA​.

  5. ​Akamai MFA​ challenges the user with secondary authentication.

  6. The user confirms their identity using the selected secondary authentication method.

  7. ​Akamai MFA​ redirects the user to the Windows server.

  8. The Windows server allows the user to proceed to the protected application.

ag-win-logon-diagram

Before you begin

  • This integration communicates with ​Akamai MFA​ on TCP port 443. Make sure that your firewall allows outbound connections to the host you specify when you set up the integration. You can achieve this by setting up a firewall policy that allows connections to the appropriate CIDR (Classless Inter-Domain Routing) blocks. The following csv file provides the relevant CIDR blocks for the ​mfa.akamai.com​ host: ​Akamai MFA​ CIDR blocks list.

📘

Your <API Host> is available in the ​Akamai MFA​ Integrations configuration page.

  • To enable this integration for users, ensure that they have either local or domain user accounts. The users' Windows login names have to match their ​Akamai MFA​ user names. Also, make sure that the users are enrolled in ​Akamai MFA​ and their registered mobile devices have been activated.

  • Prior to the installation of the plug-in, ensure that your server is correctly synchronized with an internet time source. Otherwise, you may be presented with a time-based error when attempting to use ​Akamai MFA​.

System requirements

The latest Windows Logon plug-in supports the following client and server operating systems:

Clients

  • Windows 10 (64-bit)
  • Windows 11

Servers

  • Windows Server 2012 R2 (64-bit)
  • Windows Server 2016 (64-bit)
  • Windows Server 2019 (64-bit)
  • Windows Server 2022

🚧

Specific usage requirements and caveats apply when running the plug-in on Windows Server 2012R2:

  • For Windows Server 2012R2 console login, the user needs to enter their username and password in a single field on the lock screen to log in for the first time.
  • The current username is stored after successful first time log in, and for subsequent attempts the lock screen log-in field gets automatically populated with the username. To proceed and unlock the screen, the user needs to enter just the password.

The legacy Windows Logon plug-in supports the following server operating system:

  • Windows Server 2012 R1 Standard (64-bit)

📘

Make sure you've installed the latest Microsoft updates before installing the plug-in.

Add an RDP integration

Follow this procedure to generate the integration credentials that you will need to provide in the following step to enable the communication between ​Akamai MFA​ and the Windows server.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.

  2. Click Add integration (+).

  3. In Integration Type, select the RDP.

  4. In Name, enter a unique name for your RDP integration.

  5. Click Save and Deploy.
    You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps of the configuration.

📘

Your Signing Key should be kept completely secret like any other password or secret key credential.

Install the latest ​Akamai MFA​ Windows Logon plug-in

Follow these steps to manually install the Windows Logon plug-in for ​Akamai MFA​. Please note that this version of the plugin doesn't support Windows Server 2012 R1 Standard, which is now supported by the legacy version of the plug-in.

Before you begin

How to

  1. Download the AkamaiMfaCredentialProvider-3.5.0.0.msi installation package.

  2. Open Command Prompt as admin.

  3. Launch the installation of the package using the following command msiexec.exe /i <path to AkamaiMfaCredentialProvider-3.5.0.0.msi>.
    The installation prompt displays. Follow the on-screen instructions to install the AkamaiMfaCredentialProvider-3.5.0.0.msi package.

  4. In the installer welcome dialog, click Next.

  5. The installer configuration dialog, enter the API Host, and your authentication credentials copied from the ​Akamai MFA​ integration page. Click Next.

  6. Select which login attempts you want to protect by adding ​Akamai MFA​ as the secondary authentication step:

    • Leave the default Remote Only option if you want to add ​Akamai MFA​ only to remote sessions.
    • Select Remote and Console Logon if you want to add ​Akamai MFA​ to both local and RDP Windows logins.
  7. Click Install to start the installation.

  8. When the installation is completed, click Finish.
    You've just installed the Windows Logon plug-in for ​Akamai MFA​.
    Now, you can test your configuration.

Update your Windows Logon plugin

The latest version of the Windows Logon plugin is 3.5.0.0.

If you’re running a plugin version earlier than 3.5.0.0, you need to update to the latest version. Please note that this upgrade procedure doesn't apply to the legacy version of the plugin.

To update, follow these steps:

  1. Uninstall your current Windows Logon plugin.
  2. Install version 3.5.0.0 of the plugin using the same Integration ID and Signing Key that you generated when creating the RDP integration in ​Akamai​ Enterprise Center.

Install the legacy ​Akamai MFA​ Windows Logon plug-in

Follow these steps to manually install the legacy version of the Windows Logon plug-in for ​Akamai MFA​.

🚧

The legacy plug-in supports Windows Server 2012 R1 Standard only and should NOT be installed on any other Windows OS. This plugin doesn't support offline authentication.

Before you begin

  1. Update your OS to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.

  2. Install the KB4601348 security update from Microsoft Update Catalog.

How to

  1. Download the AkamaiMfaCredentialProviderLegacyLatest.msi installation package.

  2. Open Command Prompt as admin.

  3. Launch the installation of the package using the following command msiexec.exe /i <AkamaiMfaCredentialProviderLegacyLatest.msi>.
    The installation prompt displays. Follow the on-screen instructions to install the AkamaiMfaCredentialProviderLegacyLatest.msi package.

  4. In the installer welcome dialog, click Next.

  5. The installer configuration dialog, enter the API Host, and your authentication credentials copied from the ​Akamai MFA​ integration page. Click Next.

  6. Select which login attempts you want to protect by adding ​Akamai MFA​ as the secondary authentication step:

    • Leave the default Remote Only option if you want to add ​Akamai MFA​ only to remote sessions.
    • Select Remote and Console Logon if you want to add ​Akamai MFA​ to both local and RDP Windows logins.
  7. Click Install to start the installation.

  8. When the installation is completed, click Finish.
    You've just installed the Windows Logon plug-in for ​Akamai MFA​.
    Now, you can test your configuration.

Update your Legacy Windows Logon plug-in

The latest version of the Legacy Windows RDP plug-in is 0.1.2.3
If you’re running a plug-in version earlier than 0.1.2.3, you need to update to the latest legacy version.
To update, follow these steps:

  1. To find out which version of the Legacy Windows plug-in you’re running on your PC go to Control Panel > Programs > Programs and Features and check the version of the ​Akamai MFA​ Cred Provider.

  2. If you’re running a version earlier than 0.1.2.3, uninstall your current Legacy Windows Logon plug-in.

  3. Install the latest legacy plug-in version using the same Integration ID and Signing Key that you generated in step 1 when creating the RDP integration in ​Akamai​ Enterprise Center.

Test your setup

Before you begin

Enroll your mobile device in ​Akamai MFA​ to learn more.

In this step, you will log in to the user's Windows account to check if the configuration works correctly.

Testing your setup allows you to experience the end-users authentication process.

📘

This step is optional.

  1. Log in to Windows using your Windows username and password.

  2. You're redirected to the ​Akamai MFA​ authentication prompt, where you can select the preferred secondary factor.

  3. The authentication request is sent to your enrolled mobile device. Click Allow to confirm your identity.

  4. Once you successfully confirm your identity, you're logged in to your Windows account.

Set up Windows offline authentication

📘

You need to set up your offline authentication policy in Enterprise Center first to enable this feature.

Follow these steps to enable offline authentication on your Windows workstation.

How to

  1. On your Windows login screen, enter your credentials and press Enter.

  2. Select your authentication device and method to authenticate.

    After successful authentication, you are prompted to activate offline authentication.

  3. Click Activate Now.

  4. With your TOTP authenticator app, scan the QR code displayed on the screen.

  5. After scanning the QR code, your authenticator app displays a 6-digit code. Enter that code into the 6-digit code input field on your workstation.

  6. Click Activate Offline Login.

    You are now logged in to your Windows session. Next time you log in, you will be able to authenticate offline.

Authenticate offline

Follow these steps to log in to your Windows account when you are offline.

How to

  1. On your Windows login screen, enter your credentials and press Enter.

  2. If the ​Akamai MFA​ Windows logon plugin detects that your workstation has no Internet connection, you are prompted to authenticate offline.

  3. Open your TOTP authenticator app to get the 6-digit authorization code.

  4. On your workstation, enter the 6-digit code into the login input field.

  5. Click Login.

    You are now logged in to your Windows session.

Note that depending on the offline policy configuration, you may be prompted to authenticate online after reaching max allowed consecutive offline logins, or max allowed offline days.