• Home
• App Integrations
• MFA Integrations
• Two-Factor Authentication (2FA) for Windows Logon & RDP

miniOrange 2FA Solution for Windows Logon and Remote Desktop (RDP) access supports following Two-Factor Authentication (2FA/MFA) Methods:-

Authentication Type	Method	Supported
miniOrange Authenticator	Soft Token
	miniOrange Push Notification
Mobile Token	Google Authenticator
	Microsoft Authenticator
	Authy Authenticator
SMS	OTP Over SMS
	SMS with Link
Email	OTP Over Email
	Email with Link
Call Verification	OTP Over Call
Hardware Token	YubiKey Hardware Token
	Display Hardware Token

System Requirements for miniOrange Two-Factor Authentication (2FA / MFA) login Credential Provider :

miniOrange Credential Provider for Windows Logon and RDP Access supports both client and server operating systems.

Supported Microsoft Windows Client versions:

• Windows 7 SP1
• Windows 8.1
• Windows 10
• Windows 11

Supported Windows Server versions (GUI and core installs):

• Windows Server 2008 R2 SP1
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Apart from the Windows operating system, miniOrange supports 2FA for MAC and Linux operating systems.

Prerequisites for setting up Windows Two-Factor Authentication (2FA)

• .NET Framework 4.8
• miniOrange Cloud Account or Onpremise Setup.
• Enroll Users in miniOrange before Configuration:
• The username of the user in miniOrange should be the same as in Windows Username.
• This is required so that the service can prompt the appropriate 2FA for the customer based on the defined policy and provide secure access to machine/RDP.
• There are multiple methods to add users in miniOrange.
  • Admin can add end users
  • Setup user provisioning from your existing identity source or Active directory.

Step by step guide to setup Two-Factor Authentication (2FA/MFA) for Windows Logon

1. Download 2FA Module

• Click here to download the Windows 2FA/MFA module.

2. Setup your miniOrange dashboard for Windows 2FA

In this step, we are going to setup your Two-Factor Authentication (2FA) preferences, such as:

• Which users should be asked for 2FA during windows logon.
• What 2FA methods can they use.

2.1 : Adding app and policy for 2FA

• Login into miniOrange Admin Console.
• Go to Apps and click on Add Application button.



• Click on Desktop under App Types dropdown.



• Add Windows app on miniOrange.



• In the Basic tab, enter the Display Name. Description is optional.



• Click Save to continue. You will be automatically redirected to the Policies tab.
• Then, click Add Policy to set a policy for your application.



• A dialog box will appear prompting you to enter the following details:

  Group Name	Select the group for which you wish to add a this policy. For multiple groups, you can click here to add a multiple/separate policies for each group.
  Policy Name	You can give a name for the authentication policy.
  First Factor	Select the login method as Password and Password-less. You can enable 2-Factor Authentication (MFA), Adaptive Authentication and Force MFA On Each Login Attempt if required.




• Click Submit to add the policy.
• Once submitted, the newly added policy will appear in the list.

2.2 : Choose which 2FA options the users can use

• Go to 2-Factor Authentication >> 2FA Options for End User



• Disable the methods you don’t want your users to configure or use for 2FA

3. Setup miniOrange Two-Factor Authentication (2FA/MFA) Credential Provider for Windows Logon

• Open miniOrange 2FA Configuration in Start Menu




• Make sure "miniOrange service" status is running and in the "Credential Provider/GINA status" section the "Registered" and "Enabled" are "Yes". If any of these are not as intended, see this FAQ to fix it

3.a : Integrate the module to miniOrange account.

• Click on Plugin Selection, Double Click on miniOrange under plugin Name.



• A 2FA Configuration form will open up

Note:

If you’re using On-premise IDP application, please replace the IDP Server URL with base URL of your Onpremise IDP application and make sure that URL is accessible from this machine. You can also use the IP of the server where the IDP application is hosted.





• To fill in these details, login to your miniOrange admin account on Cloud or On-premise.
• Click on the Settings cog on top right corner.



• Copy the Customer Key and Customer API key.



• Now, Go to Apps and copy the name of the Windows application created in step 2.



• Paste all these details in the form and click on Save. Leave the checkboxes as it is. More about them later.

3.b : Configure Domain

Note:

Skip this step if you’re not configuring this on a domain joined machine



• In Plugin Selection tab, Double click on Domain User Login.



• Replace the domain name with your AD domain used before the username.



• To check your domain name, you can also use the command: SET USERDOMAIN
• Click on Save.

3.c : Test MFA

Note: Please make sure that at this point the user with same username as windows exists in miniOrange and has 2FA set up.
For instructions on setting up 2FA from Self Service Console, see this link.



• Click on Test MFA button.



• Enter your machine username which is also present in miniOrange and click on Test MFA.



• You will be prompted to select one of the MFA methods you’ve configured. Select one method and click on Next



• Provide validation,
  • If asked for OTP, enter OTP and click on Login.
  
  
  

  OR

  • If asked for approval through Push notification, Accept the Push notification on your phone
  
  
  
  • After Successful Validation, you’ll see a Test Successful message

4. Use miniOrange 2FA during login

• You should see the miniOrange login page after locking the computer or signing Enter your username and password.

  Note: The logo and Message on login page can be customized from the General tab in miniOrange configuration.




• If you’re using RDP, make an RDP connection using username and password.
• You’ll see the 2FA prompt. Proceed with selecting a 2FA option and validating it.
• You will be logged into your account.

4.a : Disable other login methods (Optional)

• Go to Credential Provider Options tab.
• Check the box “Force miniOrange 2FA on Logon”.



• Click on Apply.

5. Adaptive Authentication

A. Add Adaptive Authentication Policy

• Login to Admin dashboard, then go to Adaptive Authentication >> Add Policy section.




IP Configuration

In IP restriction, admin configures a list of IP addresses to allow or deny access on and when a user tries to log into any of the applications configured with adaptive authentication, his IP address is checked against the configured IP list and based on that the action is decided as per the configuration (.i.e. Allow, Deny or Challenge).

How to Configure IP Address:

• On the Add Policy tab, select the IP Configuration and click on the Edit button.



• Click on Add IP.
• Specify the IP Address that you want to whitelist. For the IP Range other than the whitelisted one, you can select the above setting to reflect.
• Choose either allow or deny by selecting the radio button next to it.
• If a user tries to login with the whitelisted IP address, they will always be allowed access.
• We support IP address range in three formats i.e., IPv4, IPv4 CIDR, and IPv6 CIDR. You can choose whichever is suitable for you from the dropdown menu.
• You can add multiple IP and IP ranges by clicking on the + button.



• Before saving, visit the Action for Behavior Change section.
• Once the changes are made, scroll down and click on Save.

Location Configuration

In location restrictions, admin configures a list of locations where they want to allow end-users to either login or deny based on the condition set by the admin. When a user tries to login with adaptive authentication enabled, their Location Attributes, such as (Latitude, Longitude, and Country Code) are verified against the Location list configured by the admin. Based on this user will be either allowed, challenged or denied.

How to configure Location-based Configuration:

• On the Add Policy tab, navigate to the Location Configuration section



• Enter the Location Name and select it from the search results.
• Add the In and Around Distance for your location.
• Select the distance unit from the dropdown KMS or Miles.
• Enable or disable the switch to allow or deny access for each location.
• Click on the + button to add more locations and repeat the above steps.



• Before saving, visit the Action for Behavior Change section.
• Scroll down and click on Save.

Time of Access Configuration

In time restriction, admin configures a time zone with Start and End Times for that timezone, and users are either allowed, denied, or challenged based on the condition in the policy. When an end-user tries to login with the adaptive authentication enabled, their time zone-related attributes such as Time-Zone and Current System Time, are verified against the list configured by the admin, and based on the configuration, the user is either allowed, denied, or challenged.

How to configure Time-based Configuration:

• On the Add Policy tab, navigate to the Time of Access Configuration section.



• From the Select Timezone list, select the timezone. From the Start Time and End Time lists select the appropriate values. For each Time configuration you add, you can choose to either allow or deny it by enabling or disabling the switch button next to it.
• Enter the value in minutes in the input field next to the Time Difference allowed for the Fraud Prevention check. This value allows you to specify some relaxation before your start time and after your end time. (so if the start time is 6 AM and the end time is 6 PM with a time difference value set to 30 minutes, then the policy will consider the time from 5:30 AM to 6:30 PM). If no value is entered in this field, the default value is set which is 15 minutes.
• You can click on the Add Time button to include more than one Time Configuration and then follow the above step.




Action for Behavior Change

You can configure one of the three possible actions for your Adaptive Authentication Policy as explained below :





Attribute	Description
Allow	Allow users to authenticate and use services if Adaptive authentication condition is true.
Deny	Deny user authentications and access to services if Adaptive authentication condition is true.
Challenge	Challenge users with one of the three methods mentioned below for verifying user authenticity.




Challenge Type Options :




Factors	Description
User second Factor	The User needs to authenticate using the second factor he has opted or assigned for such as OTP over SMS PUSH Notification OTP over Email and, many more.
KBA	The System will ask the user for 2 of 3 questions he has configured in his Self-Service Console. Only after the right answer to both questions is the user allowed to proceed further.
OTP over Alternate Email	User will receive an OTP on the alternate email they have configured through the Self Service Console. Once the user provides the correct OTP, they are allowed to proceed further.




B. Apply the Adaptive Authentication Policy in App

• Login to Self Service Console >> Policies >> Add Login Policy.
• Click on Edit icon option for predefined app policy.



• Set your policy in the Policy Name and select Password as First Factor.
• Enable Adaptive Authentication on Edit Login Policy page and select the required restriction method as an option.
• From the Select Login Policy dropdown, select the policy created in step 2.1.






• Click Submit to apply policy changes.

6. Deployment using Group Policy

For deployment and configuration using group policy, please see our miniOrange 2FA for Windows Logon Group Policy Documentation.

Further References

miniOrange Credential Provider for Remote Desktop (RDP) and Windows Logon

The user initiates the login to Windows or Remote Desktop Service either through a Remote Desktop Client or via the RD Web login page from his browser, after which the RADIUS request is sent from the miniOrange RD Web component installed on the target machine to the miniOrange RADIUS server, which authenticates the user via Local AD, and after successful authentication, Two-factor authentication (2FA) of the user is invoked. After the user validates himself, he is granted access to the Remote Desktop Service (RDP).

A user can try to connect to RDS (Remote Desktop Protocol - RDP) via 3 ways :

• RDC - Remote Desktop Client: If the RemoteApp is launched through a Remote Desktop client application, the users validate their 2-factor authentication while they enter the Username and Password to get access to the resources. (as this method doesn't support access-challenge response, only out of band authentication methods are supported).
• RD Web Access - RD login page via browser: If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for 2-factor authentication via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.
• RD Gateway: If the organizations resources or server are protected by a Remote Desktop Gateway, you can setup 2-Factor Authentication on top of that as well. First level authentication will be done using the AD credentials and then miniOrange will prompt for the configured 2FA.
  Check the guide to setup RD Gateway 2FA

Two-Factor Authentication (2FA/MFA) for RDS via RD Web

• In this case, the user goes to RD Web login page from his browser to connect to the Remote Desktop Service. He enters his Username and Password, and on submission, the RADIUS request from RD Web component installed on target machine is sent to the miniOrange RADIUS server which authenticates the user via local AD in the target machine.
• Once authenticated, it sends a RADIUS challenge to RD Web, and the RD Web shows OTP screen on browser now. Once the user enters the One Time Passcode, the miniorange IdP verifies it and grants/denies access to the RDS.
• With this, after the user is connected to the Remote Desktop Service, the user can also gain access to published remote app icons on his browser screen, since the session has already been created for the user. Know more about Remote Desktop (RD) Web 2FA

Frequently Asked Questions (FAQs)

External References

• Learn more about different 2FA solutions around Remote Desktop Services (RDS)
  
• Explore Two-Factor Authentication (2FA) Solution for your VPN
  
• Secure your Network Devices - Switches, Router, etc with 2FA Security