Windows Logon plug-in
With Akamai Windows Logon plug-in, you can add Akamai MFA as the secondary authentication step to protect all Windows logins including the Remote Desktop Services (RDS). As a result, users when signing in to their Windows accounts have to, first, authenticate themselves using their Windows credentials. Next, Akamai MFA challenges them with the secondary authentication request using the factor that they enabled on their enrolled mobile device.
See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.
This authentication process refers to users who are enrolled in Akamai MFA.
-
The user establishes an RDP connection to the Windows server with remote desktop services enabled (further referred to as Windows server).
-
The Windows server prompts the user to log in using their credentials.
-
Active Directory confirms that the primary authentication was successful.
-
Upon successful authentication, the Windows server, using the Akamai plug-in, establishes a connection over TCP port 443 and redirects the user to Akamai MFA.
-
Akamai MFA challenges the user with secondary authentication.
-
The user confirms their identity using the selected secondary authentication method.
-
Akamai MFA redirects the user to the Windows server.
-
The Windows server allows the user to proceed to the protected application.
Prerequisites
- This integration communicates with Akamai MFA on TCP port 443. Make sure that your firewall allows outbound connections to the host you specify when you set up the integration. You can achieve this by setting up a firewall policy that allows connections to the appropriate CIDR (Classless Inter-Domain Routing) blocks. The following
csv
file provides the relevant CIDR blocks for the mfa.akamai.com host: Akamai MFA CIDR blocks list.
Your <API Host> is available in the Akamai MFA Integrations configuration page.
-
To enable this integration for users, ensure that they have either local or domain user accounts. The users' Windows login names have to match their Akamai MFA user names. Also, make sure that the users are enrolled in Akamai MFA and their registered mobile devices have been activated.
-
Prior to the installation of the plug-in, ensure that your server is correctly synchronized with an internet time source. Otherwise, you may be presented with a time-based error when attempting to use Akamai MFA.
System requirements
The latest Windows Logon plug-in supports the following client and server operating systems:
Clients
- Windows 10 (64-bit)
Servers
- Windows Server 2012 R2 (64-bit)
- Windows Server 2016 (64-bit)
- Windows Server 2019 (64-bit)
Specific usage requirements and caveats apply when running the plug-in on Windows Server 2012R2:
- For Windows Server 2012R2 console login, the user needs to enter their username and password in a single field on the lock screen to log in for the first time.
- The current username is stored after successful first time log in, and for subsequent attempts the lock screen log-in field gets automatically populated with the username. To proceed and unlock the screen, the user needs to enter just the password.
The legacy Windows Logon plug-in supports the following server operating system:
- Windows Server 2012 R1 Standard (64-bit)
Make sure you've installed the latest Microsoft updates before installing the plug-in.
Add an RDP integration
Follow this procedure to generate the integration credentials that you will need to provide in the following step to enable the communication between Akamai MFA and the Windows server.
-
In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
-
Click Add integration (+).
-
In Integration Type, select the RDP.
-
In Name, enter a unique name for your RDP integration.
-
Click Save and Deploy.
You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps of the configuration.
Your Signing Key should be kept completely secret like any other password or secret key credential.
Install the latest Akamai MFA Windows Logon plug-in
Follow these steps to manually install the Windows Logon plug-in for Akamai MFA. Please note that this version of the plug-in doesn't support Windows Server 2012 R1 Standard, which is now supported by the legacy version of the plug-in.
Before you begin
How to
-
Download the
AkamaiMfaCredentialProviderLatest.msi
installation package. -
Open Command Prompt as admin.
-
Launch the installation of the package using the following command
msiexec.exe /i <path to AkamaiMfaCredentialProviderLatest.msi>
.
The installation prompt displays. Follow the on-screen instructions to install theAkamaiMfaCredentialProviderLatest.msi
package. -
In the installer welcome dialog, click Next.
-
The installer configuration dialog, enter the API Host, and your authentication credentials copied from the Akamai MFA integration page. Click Next.
-
Select which login attempts you want to protect by adding Akamai MFA as the secondary authentication step:
- Leave the default Remote Only option if you want to add Akamai MFA only to remote sessions.
- Select Remote and Console Logon if you want to add Akamai MFA to both local and RDP Windows logins.
-
Click Install to start the installation.
-
When the installation is completed, click Finish.
You've just installed the Windows Logon plug-in for Akamai MFA.
Now, you can test your configuration.
Update your Windows Logon plug-in
The latest version of the Windows RDP plug-in is 3.4.3.4.
If you’re running a plug-in version earlier than 3.4.3.4, you need to update to the latest version. Please note that this upgrade procedure doesn't apply to the legacy version of the plugin.
To update, follow these steps:
-
To find out which version of the Windows plug-in you’re running on your PC go to Control Panel > Programs > Programs and Features and check the version of the Akamai MFA Cred Provider.
-
If you’re running a version earlier than 3.4.3.4, uninstall your current Windows Logon plug-in.
-
Install the latest plug-in version using the same Integration ID and Signing Key that you generated in step 1 when creating the RDP integration in Akamai Enterprise Center.
Install the legacy Akamai MFA Windows Logon plug-in
Follow these steps to manually install the legacy version of the Windows Logon plug-in for Akamai MFA.
The legacy plug-in supports Windows Server 2012 R1 Standard only and should NOT be installed on any other Windows OS.
Before you begin
-
Update your OS to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.
-
Install the KB4601348 security update from Microsoft Update Catalog.
How to
-
Download the
AkamaiMfaCredentialProviderLegacyLatest.msi
installation package. -
Open Command Prompt as admin.
-
Launch the installation of the package using the following command
msiexec.exe /i <AkamaiMfaCredentialProviderLegacyLatest.msi>
.
The installation prompt displays. Follow the on-screen instructions to install theAkamaiMfaCredentialProviderLegacyLatest.msi
package. -
In the installer welcome dialog, click Next.
-
The installer configuration dialog, enter the API Host, and your authentication credentials copied from the Akamai MFA integration page. Click Next.
-
Select which login attempts you want to protect by adding Akamai MFA as the secondary authentication step:
- Leave the default Remote Only option if you want to add Akamai MFA only to remote sessions.
- Select Remote and Console Logon if you want to add Akamai MFA to both local and RDP Windows logins.
-
Click Install to start the installation.
-
When the installation is completed, click Finish.
You've just installed the Windows Logon plug-in for Akamai MFA.
Now, you can test your configuration.
Update your Legacy Windows Logon plug-in
The latest version of the Legacy Windows RDP plug-in is 0.1.2.3
If you’re running a plug-in version earlier than 0.1.2.3, you need to update to the latest legacy version.
To update, follow these steps:
-
To find out which version of the Legacy Windows plug-in you’re running on your PC go to Control Panel > Programs > Programs and Features and check the version of the Akamai MFA Cred Provider.
-
If you’re running a version earlier than 0.1.2.3, uninstall your current Legacy Windows Logon plug-in.
-
Install the latest legacy plug-in version using the same Integration ID and Signing Key that you generated in step 1 when creating the RDP integration in Akamai Enterprise Center.
Test your setup
Before you begin
Enroll your mobile device in Akamai MFA to learn more.
In this step, you will log in to the user's Windows account to check if the configuration works correctly.
Testing your setup allows you to experience the end-users authentication process.
This step is optional.
-
Log in to Windows using your Windows username and password.
-
You're redirected to the Akamai MFA authentication prompt, where you can select the preferred secondary factor.
-
The authentication request is sent to your enrolled mobile device. Click Allow to confirm your identity.
-
Once you successfully confirm your identity, you're logged in to your Windows account.
Updated 15 days ago