miniOrange integrates with Microsoft windows operating system to add Two-factor / Multi-Factor authentication for Remote Desktop (RDP) connection, Windows Logon, and local logons. You can integrate with your on-premise or Hybrid Active Directory (AD) to secure your workforce / employees and the corporate network.
Ransomware attacks are primarily associated with unprotected Remote Desktop Protocol (RDP). Considering the pace of Password-based security breaches relying only on basic usernames and passwords to secure RDP user's accounts is no longer an option. That’s the reason it has become neccessary to add additional layers of security to filter out unauthorized users for Windows logon and RDP. miniOrange Two-Factor Authentication (2FA/MFA) or Multi-Factor Authentication (2FA/MFA) for Remote Desktop Protocol (RDP) prevents these sorts of Password Based breaches and adds an additional layer of security to your Microsoft Windows account.
Enabling Windows logon and RDP 2FA/MFA always verifies identities before allowing access, making it more difficult for unauthorized users to gain access to your Microsoft Windows account. miniOrange Credential Provider can be installed on Microsoft Windows logon Client and Server operating systems to enable the Multi-Factor Authentication to Remote Desktop Protocol (RDP).
Remote Desktop (RDP) and Windows logon MFA solution is also responsible for your User Management with a Microsoft Active Directory or an LDAP directory. With this windows logon and RDP 2FA / MFA solution, users will get easy access to the endpoints they need to access by increasing identity assurance and reducing the risk and exposure. You can also enable offline access accordingly for secure authentication. miniOrange's advanced Two-factor authentication (2FA/MFA) solution organizations are able to get secure access to all work applications, for all their users, from anywhere, with any device they choose.
miniOrange 2FA/MFA Credential Provider for Windows logon and Remote Desktop Protocol (RDP) access supports following Multi-Factor Authentication (MFA) Methods:-
Authentication Type
Method
Supported
miniOrange Authenticator
Soft Token
miniOrange Push Notification
Mobile Token
Google Authenticator
Microsoft Authenticator
Authy Authenticator
SMS
OTP Over SMS
SMS with Link
Email
OTP Over Email
Email with Link
Call Verification
OTP Over Call
Hardware Token
Yubikey Hardware Token
Display Hardware Token
System Requirements for miniOrange Two-factor / Multi-Factor Authentication (2FA / MFA) Windows logon and RDP Credential Provider
miniOrange Credential Provider for Remote Desktop Protocol (RDP) Access supports both client and server operating systems.
Supported Microsoft Windows Client versions:
Windows 7 SP1
Windows 8.1
Windows 10
Windows 11
Supported Windows Server versions(GUI and core installs):
Windows Server 2008 R2 SP1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
miniOrange Two-Factor/Multi Factor Authentication(2FA/MFA) Credential Provider for Remote Desktop (RDP) Protocol and Windows logon also requires .NET Framework 4.5 or later. If the correct .NET version is not present on your system then miniOrange Credential Provider setup prompts you to install the .NET Framework.
miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Two-Factor/Multi-Factor Authentication (MFA) for Remote Desktop Protocol (RDP) solution in your environment with 30 days trial.
For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you setting it up in no time.
The username of the user in miniOrange should be the same as in Windows Username.
This is required so that the service can prompt the appropriate 2FA for the customer based on the defined policy and provide secure access to machine/RDP.
There are multiple methods to add users in miniOrange.
Disable the methods you don’t want your users to configure or use for MFA
3. Setup miniOrange Two-Factor Authentication (2FA/MFA) Credential Provider for Windows Logon
Open miniOrange 2FA Configuration in Start Menu
Make sure "miniOrange service" status is running and in the "Credential Provider/GINA status" section the "Registered" and "Enabled" are "Yes". If any of these are not as intended, see this FAQ to fix it
3a : Integrate the module to miniOrange account.
Click on Plugin Selection, Double Click on miniOrangeunder plugin Name.
A 2FA Configuration form will open up
Note:
If you’re using Onpremise IDP application, please replace the IDP Server URL with base URL of your Onpremise IDP application and make sure that URL is accessible from this machine. You can also use the IP of the server where the IDP application is hosted.
To fill in these details, login to your miniOrange admin account on Cloud orOnpremise.
Click on the Settings cog on top right and select Product Settings
Copy the Customer Key and API key
Now, Go to Apps and copy the name of the Windows application created in step 2.
Paste all these details in the form and click on Save. Leave the checkboxes as it is. More about them later.
3b. Test MFA
Note:
Please make sure that at this point the user with same username as windows exists in miniOrange and has 2FA set up. For instructions on setting up 2FA from Self Service Console, see this link .
Click on Test MFA button
Enter your machine username which is also present in miniOrange and click on Test MFA
You will be prompted to select one of the 2FA methods you’ve configured. Select one method and click on Next
Provide validation,
If asked for OTP, enter OTP and click on Login.
OR
If asked for approval through Push notification, Accept the Push notification on your phone
After Successful Validation, you’ll see a Test Successful message
3c. Configure Domain
Note:
Skip this step if you’re not configuring this on a domain joined machine
In Plugin Selection tab, Double click on Domain User Login
Replace the domain name with your AD domain used before the username.
To check your domain name, you can also use the command: SET USERDOMAIN
Click on Save.
4. Use miniOrange MFA during login
You should see the miniOrange login page after locking the computer or signing Enter your username and password.
Note: The logo and Message on login page can be customized from the General tab in miniOrange configuration
If you’re using RDP, make an RDP connection using username and password
You’ll see the 2FA prompt. Proceed with selecting a 2FA option and validating it.
miniOrange Credential Provider for Remote Desktop (RDP) and Windows Logon
The user initiates the login to Windows or Remote Desktop Service either through a Remote Desktop Client or via the RD Web login page from his browser, after which the RADIUS request is sent from the miniOrange RD Web component installed on the target machine to the miniOrange RADIUS server, which authenticates the user via Local AD, and after successful authentication, two-factor authentication (2FA) of the user is invoked. After the user validates himself, he is granted access to the Remote Desktop Service (RDP).
A user can try to connect to RDS (Remote Desktop Protocol (RDP)) via 2 ways :
RDC - Remote Desktop Client: If the RemoteApp is launched through a Remote Desktop client application, the users validate their two-factor authentication (2FA) while they enter the Username and Password to get access to the resources. (as this method doesn't support access-challenge response, only out of band authentication methods are supported ).
RD Web Access - RD login page via browser: If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for two-factor authentication (2FA) via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.
RD Gateway: If the organizations resources or server are protected by a Remote Desktop Gateway, you can setup 2FA/MFA on top of that as well. First level authentication will be done using the AD credentials and then miniOrange will prompt for the configured 2FA/MFA. Check the guide to setup Remote desktop Gateway MFA (RD Gateway MFA/2FA)
Two-Factor Authentication (2FA/MFA) for RDS via RD Web
How it works
In this case, the user goes to RD Web login page from his browser to connect to the Remote Desktop Service. He enters his Username and Password, and on submission, the RADIUS request from RD Web component installed on target machine is sent to the miniOrange RADIUS server which authenticates the user via local AD in the target machine.
Once authenticated, it sends a RADIUS challenge to RD Web, and the RD Web shows OTP screen on browser now. Once the user enters the One Time Passcode, the miniorange IdP verifies it and grants/denies access to the RDS.
With this, after the user is connected to the Remote Desktop Service, the user can also gain access to published remote app icons on his browser screen, since the session has already been created for the user. Know more about Remote Desktop (RD) Web 2FA/MFA