Windows Logon plugin

With ​Akamai​ Windows Logon plugin, you can add ​Akamai MFA​ as the secondary authentication step to protect all Windows logins including the Remote Desktop Services (RDS). As a result, users when signing in to their Windows accounts have to, first, authenticate themselves using their Windows credentials. Next, ​Akamai MFA​ challenges them with the secondary authentication request using the factor that they enabled on their enrolled mobile device.

See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.

📘

This authentication process refers to users who are enrolled in ​Akamai MFA​.

  1. The user establishes an RDP connection to the Windows server with remote desktop services enabled (further referred to as Windows server).

  2. The Windows server prompts the user to log in using their credentials.

  3. Active Directory confirms that the primary authentication was successful.

  4. Upon successful authentication, the Windows server, using the ​Akamai​ plugin, establishes a connection over TCP port 443 and redirects the user to ​Akamai MFA​.

  5. ​Akamai MFA​ challenges the user with secondary authentication.

  6. The user confirms their identity using the selected secondary authentication method.

  7. ​Akamai MFA​ redirects the user to the Windows server.

  8. The Windows server allows the user to proceed to the protected application.

ag-win-logon-diagram

Before you begin

  • This integration communicates with ​Akamai MFA​ on TCP port 443. Make sure that your firewall allows outbound connections to the host you specify when you set up the integration. You can achieve this by setting up a firewall policy that allows connections to the appropriate CIDR (Classless Inter-Domain Routing) blocks. The following csv file provides the relevant CIDR blocks for the ​mfa.akamai.com​ host: ​Akamai MFA​ CIDR blocks list.

📘

Your <API Host> is available in the ​Akamai MFA​ Integrations configuration page.

  • To enable this integration for users, ensure that they have either local or domain user accounts. The users' Windows login names have to match their ​Akamai MFA​ user names. Also, make sure that the users are enrolled in ​Akamai MFA​ and their registered mobile devices have been activated.

  • Prior to the installation of the plugin, ensure that your server is correctly synchronized with an internet time source. Otherwise, you may be presented with a time-based error when attempting to use ​Akamai MFA​.

System requirements

The latest Windows Logon plugin supports the following client and server operating systems:

Clients

  • Windows 10 (64-bit)
  • Windows 11

Servers

  • Windows Server 2012 R2 (64-bit)
  • Windows Server 2016 (64-bit)
  • Windows Server 2019 (64-bit)
  • Windows Server 2022

🚧

Specific usage requirements and caveats apply when running the plugin on Windows Server 2012R2:

  • For Windows Server 2012R2 console login, the user needs to enter their username and password in a single field on the lock screen to log in for the first time.
  • The current username is stored after successful first time log in, and for subsequent attempts the lock screen log-in field gets automatically populated with the username. To proceed and unlock the screen, the user needs to enter just the password.

The legacy Windows Logon plugin supports the following server operating system:

  • Windows Server 2012 R1 Standard (64-bit)

📘

Make sure you've installed the latest Microsoft updates before installing the plugin.

Add an RDP integration

Follow this procedure to generate the integration credentials that you will need to provide in the following step to enable the communication between ​Akamai MFA​ and the Windows server.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.

  2. Click Add integration (+).

  3. In Integration Type, select the RDP.

  4. In Name, enter a unique name for your RDP integration.

  5. Click Save and Deploy.
    You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps of the configuration.

📘

Your Signing Key should be kept completely secret like any other password or secret key credential.

Install the latest ​Akamai MFA​ Windows Logon plugin

Follow these steps to install the Windows Logon plugin for ​Akamai MFA​ using the installation wizard. Please note that this version of the plugin doesn't support Windows Server 2012 R1 Standard, which is supported by the legacy version of the plugin instead.

Before you begin

How to

  1. Download the AkamaiMfaCredentialProvider-3.5.4.0.msi installation package.

  2. Navigate to your downloads folder and open the AkamaiMfaCredentialProvider-3.5.4.0.msi installer package.

  3. In the installer welcome dialog, click Next.

  4. In the installer configuration dialog, enter the API Host copied from the ​Akamai MFA​ integration page.

  5. Optionally, tick Configure a manual proxy for ​Akamai MFA​ traffic to use an outbound proxy for ​Akamai MFA​ traffic and specify your Proxy Host and Proxy Port. Click Next.

  6. Enter your authentication credentials copied from the ​​Akamai MFA​​ integration page and click Next.

  7. Select which login attempts you want to protect by adding ​Akamai MFA​ as the secondary authentication step:

    • Leave the default Remote Logon Only option if you want to add ​Akamai MFA​ only to remote sessions.
    • Select Remote and Console Logon if you want to add ​Akamai MFA​ to both local and RDP Windows logins.
  8. Click Install to start the installation.

  9. Wait for the installation process to complete and click Finish.
    You've just installed the Windows Logon plugin for ​Akamai MFA​.
    Now, you can test your configuration.

Install the latest ​Akamai MFA​ Windows Logon plugin silently

Follow these steps to silently install the Windows Logon plugin for ​Akamai MFA​ using the command line. Please note that this version of the plugin doesn't support Windows Server 2012 R1 Standard, which is supported by the legacy version of the plugin instead.

Before you begin

How to

  1. Download the AkamaiMfaCredentialProvider-3.5.4.0.msi installation package.
  2. Open the command line (cmd).
  3. Navigate to your downloads folder, for example cd C:\Users\Username\Downloads.
  4. Prepare your integration credentials and proxy settings. The installer accepts the following parameters:
ParameterMeaning
APIHOST="<host>"Required. Specifies the API Host. You can find this information in Enterprise Center by navigating to the RDP integration page.
APPID="<integration_id>"Required. Specifies the Integration ID. You can find this information in Enterprise Center by navigating to the RDP integration page.
SIGNINGKEY="<signing_key>"Required. Specifies the Signing Key. You can find this information in Enterprise Center by navigating to the RDP integration page.
REMOTEONLY="<1 or 0>"Required. Specifies if local logins are allowed.

Values:

  • 1 to allow RDP logins only
  • 0 to allow RDP and local logins
MANUALPROXYENABLED="<1 or 0>"Optional. Specifies whether to use an outbound proxy for ​Akamai MFA​ traffic. Proxy is disabled by default.

Values:

  • 1 to enable proxy
  • 0 to disable proxy
PROXYHOST="<manual_proxy_host>"Optional. With manual proxy enabled, specifies your proxy host. It can be an IP address or a hostname.
PROXYPORT="<manual_proxy_port>"Optional. With manual proxy enabled, specifies your proxy port.
  1. Launch the installer using the command line. For example, you may enter the following command to silently install the plugin and set it up to use a proxy server:
msiexec /i AkamaiMfaCredentialProvider-3.5.4.0.msi APIHOST="mfa.akamai.com" APPID="app_1234" SIGNINGKEY="abcd"  REMOTEONLY="1" MANUALPROXYENABLED="1" PROXYHOST="198.51.100.0" PROXYPORT="8080" /quiet
  1. The installation process runs silently. When it's complete, you can test your configuration.

Update your Windows Logon plugin

The latest version of the Windows Logon plugin is 3.5.4.0.

If you’re running a plugin version earlier than 3.5.4.0, you need to update to the latest version. Please note that this upgrade procedure doesn't apply to the legacy version of the plugin.

To update, follow these steps:

  1. Uninstall your current Windows Logon plugin.
  2. Install version 3.5.4.0 of the plugin using the same Integration ID and Signing Key that you generated when creating the RDP integration in ​Akamai​ Enterprise Center.

Install the legacy ​Akamai MFA​ Windows Logon plugin

Follow these steps to manually install the legacy version of the Windows Logon plugin for ​Akamai MFA​.

🚧

The legacy plugin supports Windows Server 2012 R1 Standard only and should NOT be installed on any other Windows OS. This plugin doesn't support offline authentication.

Before you begin

  1. Update your OS to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.

  2. Install the KB4601348 security update from Microsoft Update Catalog.

How to

  1. Download the AkamaiMfaCredentialProviderLegacyLatest.msi installation package.

  2. Open Command Prompt as admin.

  3. Launch the installation of the package using the following command msiexec.exe /i <AkamaiMfaCredentialProviderLegacyLatest.msi>.
    The installation prompt displays. Follow the on-screen instructions to install the AkamaiMfaCredentialProviderLegacyLatest.msi package.

  4. In the installer welcome dialog, click Next.

  5. The installer configuration dialog, enter the API Host, and your authentication credentials copied from the ​Akamai MFA​ integration page. Click Next.

  6. Select which login attempts you want to protect by adding ​Akamai MFA​ as the secondary authentication step:

    • Leave the default Remote Only option if you want to add ​Akamai MFA​ only to remote sessions.
    • Select Remote and Console Logon if you want to add ​Akamai MFA​ to both local and RDP Windows logins.
  7. Click Install to start the installation.

  8. When the installation is completed, click Finish.
    You've just installed the Windows Logon plugin for ​Akamai MFA​.
    Now, you can test your configuration.

Update your Legacy Windows Logon plugin

The latest version of the Legacy Windows RDP plugin is 0.1.2.3
If you’re running a plugin version earlier than 0.1.2.3, you need to update to the latest legacy version.
To update, follow these steps:

  1. To find out which version of the Legacy Windows plugin you’re running on your PC go to Control Panel > Programs > Programs and Features and check the version of the ​Akamai MFA​ Cred Provider.

  2. If you’re running a version earlier than 0.1.2.3, uninstall your current Legacy Windows Logon plugin.

  3. Install the latest legacy plugin version using the same Integration ID and Signing Key that you generated in step 1 when creating the RDP integration in ​Akamai​ Enterprise Center.

Test your setup

Before you begin

Enroll your mobile device in ​Akamai MFA​ to learn more.

In this step, you will log in to the user's Windows account to check if the configuration works correctly.

Testing your setup allows you to experience the end-users authentication process.

📘

This step is optional.

  1. Log in to Windows using your Windows username and password.

  2. You're redirected to the ​Akamai MFA​ authentication prompt, where you can select the preferred secondary factor.

  3. The authentication request is sent to your enrolled mobile device. Click Allow to confirm your identity.

  4. Once you successfully confirm your identity, you're logged in to your Windows account.

Set up Windows offline authentication

📘

You need to set up your offline authentication policy in Enterprise Center first to enable this feature.

Follow these steps to enable offline authentication on your Windows workstation.

How to

  1. On your Windows login screen, enter your credentials and press Enter.

  2. Select your authentication device and method to authenticate.

    After successful authentication, you are prompted to activate offline authentication.

  3. Click Activate Now.

  4. With your TOTP authenticator app, scan the QR code displayed on the screen.

  5. After scanning the QR code, your authenticator app displays a 6-digit code. Enter that code into the 6-digit code input field on your workstation.

  6. Click Activate Offline Login.

    You are now logged in to your Windows session. Next time you log in, you will be able to authenticate offline.

Authenticate offline

Follow these steps to log in to your Windows account when you are offline.

How to

  1. On your Windows login screen, enter your credentials and press Enter.

  2. If the ​Akamai MFA​ Windows logon plugin detects that your workstation has no Internet connection, you are prompted to authenticate offline.

  3. Open your TOTP authenticator app to get the 6-digit authorization code.

  4. On your workstation, enter the 6-digit code into the login input field.

  5. Click Login.

    You are now logged in to your Windows session.

Note that depending on the offline policy configuration, you may be prompted to authenticate online after reaching max allowed consecutive offline logins, or max allowed offline days.