Windows Logon plug-in

With ‚ÄčAkamai‚Äč Windows Logon plug-in, you can add ‚ÄčAkamai MFA‚Äč as the secondary authentication step to protect all Windows logins including the Remote Desktop Services (RDS). As a result, users when signing in to their Windows accounts have to, first, authenticate themselves using their Windows credentials. Next, ‚ÄčAkamai MFA‚Äč challenges them with the secondary authentication request using the factor that they enabled on their enrolled mobile device.

See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.

ūüďė

This authentication process refers to users who are enrolled in ‚ÄčAkamai MFA‚Äč.

  1. The user establishes an RDP connection to the Windows server with remote desktop services enabled (further referred to as Windows server).

  2. The Windows server prompts the user to log in using their credentials.

  3. Active Directory confirms that the primary authentication was successful.

  4. Upon successful authentication, the Windows server, using the ‚ÄčAkamai‚Äč plug-in, establishes a connection over TCP port 443 and redirects the user to ‚ÄčAkamai MFA‚Äč.

  5. ‚ÄčAkamai MFA‚Äč challenges the user with secondary authentication.

  6. The user confirms their identity using the selected secondary authentication method.

  7. ‚ÄčAkamai MFA‚Äč redirects the user to the Windows server.

  8. The Windows server allows the user to proceed to the protected application.

ag-win-logon-diagramag-win-logon-diagram

Prerequisites

  • This integration communicates with ‚ÄčAkamai MFA‚Äč on TCP port 443. Make sure that your firewall allows outbound connections to the host you specify when you set up the integration.

ūüďė

Your <API Host> is available in the ‚ÄčAkamai MFA‚Äč Integrations configuration page.

  • To enable this integration for users, ensure that they have either local or domain user accounts. The users' Windows login names have to match their ‚ÄčAkamai MFA‚Äč user names. Also, make sure that the users are enrolled in ‚ÄčAkamai MFA‚Äč and their registered mobile devices have been activated.

  • Prior to the installation of the plug-in, ensure that your server is correctly synchronized with an internet time source. Otherwise, you may be presented with a time-based error when attempting to use ‚ÄčAkamai MFA‚Äč.

System requirements

Windows Logon plug-in supports the following client and server operating systems:

Clients

  • Windows 10

Servers

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

ūüďė

Make sure you've installed the latest Microsoft updates before installing the plug-in.

Add an RDP integration

Follow this procedure to generate the integration credentials that you will need to provide in the following step to enable the communication between ‚ÄčAkamai MFA‚Äč and the Windows server.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.

  2. Click Add integration (+).

  3. In Integration Type, select the RDP.

  4. In Name, enter a unique name for your RDP integration.

  5. Click Save and Deploy.
    You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps of the configuration.

ūüďė

Your Signing Key should be kept completely secret like any other password or secret key credential.

Install the ‚ÄčAkamai‚Äč Windows Logon plug-in

Follow these steps to manually install the Windows Logon plugin for ‚ÄčAkamai MFA‚Äč.

  1. Download the AkamaiMfaCredentialProvider.msi installation package:

  2. Open Command Prompt as admin.

  3. Launch the installation of the package using the following command msiexec.exe /i <path to AkamaiMfaCredentialProvider.msi>.
    The installation prompt displays. Follow the on-screen instructions to install the AkamaiMfaCredentialProvider.msi package.

  4. In the installer welcome dialog, click Next.

  5. The installer configuration dialog, enter the API Host, and your authentication credentials copied from the ‚ÄčAkamai MFA‚Äč integration page. Click Next.

  6. Select which login attempts you want to protect by adding ‚ÄčAkamai MFA‚Äč as the secondary authentication step:

    • Leave the default Remote Only option if you want to add ‚ÄčAkamai MFA‚Äč only to remote sessions.
    • Select Remote and Console Logon if you want to add ‚ÄčAkamai MFA‚Äč to both local and RDP Windows logins.
  7. Click Install to start the installation.

  8. When the installation is completed, click Finish.
    You've just installed the Windows Logon plug-in for ‚ÄčAkamai MFA‚Äč.
    Now, you can test your configuration.

Upgrade Windows Logon plug-in

The latest version of the Windows RDP plug-in is 3.0.0.0.
If you’re running a plug-in version earlier than 3.0.0.0, you need to upgrade to the latest version.

To upgrade, follow these steps:

  1. To find out which version of the Windows plug-in you‚Äôre running on your PC go to Control Panel > Programs > Programs and Features and check the version of the ‚ÄčAkamai MFA‚Äč Cred Provider.

  2. If you’re running a version earlier than 3.0.0.0, uninstall your current Windows plug-in.

  3. Install the latest plug-in version using the same Integration ID and Signing Key that you generated in step 1 when creating the RDP integration in ‚ÄčAkamai‚Äč Enterprise Center.

Test your setup

Before you begin

Enroll your mobile device in ‚ÄčAkamai MFA‚Äč to learn more.

In this step, you will log in to the user's Windows account to check if the configuration works correctly.

Testing your setup allows you to experience the end-users authentication process.

ūüďė

This step is optional.

  1. Log in to Windows using your Windows username and password.

  2. You're redirected to the ‚ÄčAkamai MFA‚Äč authentication prompt, where you can select the preferred secondary factor.

  3. The authentication request is sent to your enrolled mobile device. Click Allow to confirm your identity.

  4. Once you successfully confirm your identity, you're logged in to your Windows account.


Did this page help you?