Windows Logon plug-in

With ​Akamai​ Windows Logon plug-in, you can add ​Akamai MFA​ as the secondary authentication step to protect all Windows logins including the Remote Desktop Services (RDS). As a result, users when signing in to their Windows accounts have to, first, authenticate themselves using their Windows credentials. Next, ​Akamai MFA​ challenges them with the secondary authentication request using the factor that they enabled on their enrolled mobile device.

See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.

📘

This authentication process refers to users who are enrolled in ​Akamai MFA​.

  1. The user establishes an RDP connection to the Windows server with remote desktop services enabled (further referred to as Windows server).

  2. The Windows server prompts the user to log in using their credentials.

  3. Active Directory confirms that the primary authentication was successful.

  4. Upon successful authentication, the Windows server, using the ​Akamai​ plug-in, establishes a connection over TCP port 443 and redirects the user to ​Akamai MFA​.

  5. ​Akamai MFA​ challenges the user with secondary authentication.

  6. The user confirms their identity using the selected secondary authentication method.

  7. ​Akamai MFA​ redirects the user to the Windows server.

  8. The Windows server allows the user to proceed to the protected application.

ag-win-logon-diagramag-win-logon-diagram

Prerequisites

  • This integration communicates with ​Akamai MFA​ on TCP port 443. Make sure that your firewall allows outbound connections to the host you specify when you set up the integration.

📘

Your <API Host> is available in the ​Akamai MFA​ Integrations configuration page.

  • To enable this integration for users, ensure that they have either local or domain user accounts. The users' Windows login names have to match their ​Akamai MFA​ user names. Also, make sure that the users are enrolled in ​Akamai MFA​ and their registered mobile devices have been activated.

  • Prior to the installation of the plug-in, ensure that your server is correctly synchronized with an internet time source. Otherwise, you may be presented with a time-based error when attempting to use ​Akamai MFA​.

System requirements

Windows Logon plug-in supports the following client and server operating systems:

Clients

  • Windows 10

Servers

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

📘

Make sure you've installed the latest Microsoft updates before installing the plug-in.

Add an RDP integration

Follow this procedure to generate the integration credentials that you will need to provide in the following step to enable the communication between ​Akamai MFA​ and the Windows server.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.

  2. Click Add integration (+).

  3. In Integration Type, select the RDP.

  4. In Name, enter a unique name for your RDP integration.

  5. Click Save and Deploy.
    You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps of the configuration.

📘

Your Signing Key should be kept completely secret like any other password or secret key credential.

Install the ​Akamai​ Windows Logon plug-in

Follow these steps to manually install the Windows Logon plugin for ​Akamai MFA​.

  1. Download the AkamaiMfaCredentialProvider.msi installation package:

  2. Open Command Prompt as admin.

  3. Launch the installation of the package using the following command msiexec.exe /i <path to AkamaiMfaCredentialProvider.msi>.
    The installation prompt displays. Follow the on-screen instructions to install the AkamaiMfaCredentialProvider.msi package.

  4. In the installer welcome dialog, click Next.

  5. The installer configuration dialog, enter the API Host, and your authentication credentials copied from the ​Akamai MFA​ integration page. Click Next.

  6. Select which login attempts you want to protect by adding ​Akamai MFA​ as the secondary authentication step:

    • Leave the default Remote Only option if you want to add ​Akamai MFA​ only to remote sessions.
    • Select Remote and Console Logon if you want to add ​Akamai MFA​ to both local and RDP Windows logins.
  7. Click Install to start the installation.

  8. When the installation is completed, click Finish.
    You've just installed the Windows Logon plug-in for ​Akamai MFA​.
    Now, you can test your configuration.

Upgrade Windows Logon plug-in

The latest version of the Windows RDP plug-in is 3.0.0.0.
If you’re running a plug-in version earlier than 3.0.0.0, you need to upgrade to the latest version.

To upgrade, follow these steps:

  1. To find out which version of the Windows plug-in you’re running on your PC go to Control Panel > Programs > Programs and Features and check the version of the ​Akamai MFA​ Cred Provider.

  2. If you’re running a version earlier than 3.0.0.0, uninstall your current Windows plug-in.

  3. Install the latest plug-in version using the same Integration ID and Signing Key that you generated in step 1 when creating the RDP integration in ​Akamai​ Enterprise Center.

Test your setup

Before you begin

Enroll your mobile device in ​Akamai MFA​ to learn more.

In this step, you will log in to the user's Windows account to check if the configuration works correctly.

Testing your setup allows you to experience the end-users authentication process.

📘

This step is optional.

  1. Log in to Windows using your Windows username and password.

  2. You're redirected to the ​Akamai MFA​ authentication prompt, where you can select the preferred secondary factor.

  3. The authentication request is sent to your enrolled mobile device. Click Allow to confirm your identity.

  4. Once you successfully confirm your identity, you're logged in to your Windows account.


Did this page help you?