Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

How to setup Two-Factor Authentication (2FA/MFA) for Windows Logon & RDP


With the pace of password-based security breaches, simply using usernames and passwords to secure a Remote Desktop (RDP) and Windows local login is no longer an option. That’s why it has become necessary to add an additional layer of Two-factor authentication (2FA) security to filter out unauthorized users.

miniOrange Windows Two-Factor Authentication (2FA) solution prevents these sorts of Password-Based breaches and adds an additional layer of security to your RDP And Windows local login. As the Windows 2FA / MFA feature is enabled, users have to authenticate themselves in two successive stages to access their Windows machines. The first level of authentication happens using their usual Windows AD credentials. For the second level of authentication, admins can choose from the wide range of 15+ 2FA authentication methods that miniOrange offers. miniOrange integrates with both Microsoft Windows Client and Server Operating Systems.


Explore the areas that can be enhanced with the Windows 2FA login solution:

  • 2FA for User Access Control (UAC) elevation requests
  • Swift deployment via Group Policy Object push or import/export functionality
  • Self-service Password reset (SSPR) capability
  • Integration with Azure AD or local AD through LDAP
  • Passwordless login option
  • Machine-based 2FA
  • Offline 2FA



miniOrange 2FA Solution for Windows Logon and Remote Desktop (RDP) access supports following Two-Factor Authentication (2FA/MFA) Methods:-

Authentication TypeMethodSupported
miniOrange Authenticator Soft Token
miniOrange Push Notification
Mobile Token Google Authenticator
Microsoft Authenticator
Authy Authenticator
SMSOTP Over SMS
SMS with Link
EmailOTP Over Email
Email with Link
Call VerificationOTP Over Call
Hardware Token YubiKey Hardware Token
Display Hardware Token

System Requirements for miniOrange Two-Factor Authentication (2FA / MFA) login Credential Provider :

miniOrange Credential Provider for Windows Logon and RDP Access supports both client and server operating systems.

    Supported Microsoft Windows Client versions:

    • Windows 7 SP1
    • Windows 8.1
    • Windows 10
    • Windows 11

    Supported Windows Server versions (GUI and core installs):

    • Windows Server 2008 R2 SP1
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022

Apart from the Windows operating system, miniOrange supports 2FA for MAC and Linux operating systems.

Get Free Installation Help - Book a Slot


miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Two-Factor Authentication (2FA) for Windows Logon and RDP solution in your environment with 30 days trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you setting it up in no time.



How Windows Logon 2FA Works


Windows 2FA/MFA Login architecture flow


Prerequisites for setting up Windows Two-Factor Authentication (2FA)

  • .NET Framework 4.8
  • miniOrange Cloud Account or Onpremise Setup.
  • Enroll Users in miniOrange before Configuration:
    1. The username of the user in miniOrange should be the same as in Windows Username.
    2. This is required so that the service can prompt the appropriate 2FA for the customer based on the defined policy and provide secure access to machine/RDP.
    3. There are multiple methods to add users in miniOrange.
      1. Admin can add end users
      2. Setup user provisioning from your existing identity source or Active directory.

Step by step guide to setup Two-Factor Authentication (2FA/MFA) for Windows Logon

1. Download 2FA Module

  • Click here to download the Windows 2FA/MFA module.

2. Setup your miniOrange dashboard for Windows 2FA

In this step, we are going to setup your Two-Factor Authentication (2FA) preferences, such as:

  • Which users should be asked for 2FA during windows logon.
  • What 2FA methods can they use.

2.1 Adding app and policy for 2FA

  • Login into miniOrange Admin Console.
  • Go to Apps and click on Add Application button.
  • Add application to setup Windows login 2FA/MFA

  • In Choose Application Type click on Create App button in Desktop application type.
  • Select Desktop as application type to configure Windows 2FA

  • Add Windows app on miniOrange.
  • Add Windows App to setup two-factor authentication

  • Add App Name.
  • Windows and RDP Two-Factor Authentication (2FA/MFA) mention app name

  • Select Login Method as Password and Enable 2-Factor Authentication (2FA).
  • Select Login method as Password to configure Two-Factor Authentication

  • Click on Save.

2.2 Choose which 2FA options the users can use

3. Setup miniOrange Two-Factor Authentication (2FA/MFA) Credential Provider for Windows Logon

  • Open miniOrange 2FA Configuration in Start Menu

  • Configure Windows 2FA credential provider

  • Make sure "miniOrange service" status is running and in the "Credential Provider/GINA status" section the "Registered" and "Enabled" are "Yes". If any of these are not as intended, see this FAQ to fix it
  • Windows credential Provider status running to setup two-factor authentication

    3a : Integrate the module to miniOrange account.

  • Click on Plugin Selection, Double Click on miniOrange under plugin Name.
  • Microsoft Windows MFA Plugin Selection

  • A 2FA Configuration form will open up
  • Note:

    If you’re using On-premise IDP application, please replace the IDP Server URL with base URL of your Onpremise IDP application and make sure that URL is accessible from this machine. You can also use the IP of the server where the IDP application is hosted.


    Windows RDP 2FA setup

  • To fill in these details, login to your miniOrange admin account on Cloud or On-premise.
  • Click on the Settings cog on top right corner.
  • Select product settings to configure Windows Two-Factor Authentication (2FA)

  • Copy the Customer Key and Customer API key.
  • Copy Customer and API Key for Windows Logon 2FA

  • Now, Go to Apps and copy the name of the Windows application created in step 2.
  • Copy windows application name to setup 2FA/MFA

  • Paste all these details in the form and click on Save. Leave the checkboxes as it is. More about them later.
  • Complete overall Windows 2FA logon Configuration

    3b. Configure Domain

    Note:

    Skip this step if you’re not configuring this on a domain joined machine


  • In Plugin Selection tab, Double click on Domain User Login.
  • On Plugins Selection, double click Domain User Login

  • Replace the domain name with your AD domain used before the username.
  • Replace Domain name with AD Domain for Windows 2FA logon

  • To check your domain name, you can also use the command: SET USERDOMAIN
  • Click on Save.
  • 3c. Test MFA

    Note:

    Please make sure that at this point the user with same username as windows exists in miniOrange and has 2FA set up.
    For instructions on setting up 2FA from Self Service Console, see this link.


  • Click on Test MFA button.
  • Test Microsoft Windows 2FA/MFA login

  • Enter your machine username which is also present in miniOrange and click on Test MFA.
  • Test Windows Two-Factor Authentication (2FA) setup

  • You will be prompted to select one of the MFA methods you’ve configured. Select one method and click on Next
  • Select your preferable Two-Factor Authentication (2FA) method

  • Provide validation,
    1. If asked for OTP, enter OTP and click on Login.
    2. Enter OTP to Confirm Windows 2FA setup

      OR

    3. If asked for approval through Push notification, Accept the Push notification on your phone
    4. Windows Two-Factor Authentication Push Notification setup

    5. After Successful Validation, you’ll see a Test Successful message

4. Use miniOrange 2FA during login

  • You should see the miniOrange login page after locking the computer or signing Enter your username and password.
  • Note: The logo and Message on login page can be customized from the General tab in miniOrange configuration

    Windows Two-Factor authentication (2FA) login Page

  • If you’re using RDP, make an RDP connection using username and password
  • You’ll see the 2FA prompt. Proceed with selecting a 2FA option and validating it.
  • You will be logged into your account.
  • a. Disable other login methods (Optional):

  • Go to Credential Provider Options tab.
  • Check the box “Force miniOrange 2FA on Logon”
  • Enforce miniOrange 2FA on every Windows Remote login

  • Click on Apply

5. Deployment using Group Policy

For deployment and configuration using group policy, please see our miniOrange 2FA for Windows Logon Group Policy Documentation.

Further References

miniOrange Credential Provider for Remote Desktop (RDP) and Windows Logon

The user initiates the login to Windows or Remote Desktop Service either through a Remote Desktop Client or via the RD Web login page from his browser, after which the RADIUS request is sent from the miniOrange RD Web component installed on the target machine to the miniOrange RADIUS server, which authenticates the user via Local AD, and after successful authentication, Two-factor authentication (2FA) of the user is invoked. After the user validates himself, he is granted access to the Remote Desktop Service (RDP).


A user can try to connect to RDS (Remote Desktop Protocol - RDP) via 3 ways :

  • RDC - Remote Desktop Client: If the RemoteApp is launched through a Remote Desktop client application, the users validate their 2-factor authentication while they enter the Username and Password to get access to the resources. (as this method doesn't support access-challenge response, only out of band authentication methods are supported).
  • RD Web Access - RD login page via browser: If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for 2-factor authentication via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.
  • RD Gateway: If the organizations resources or server are protected by a Remote Desktop Gateway, you can setup 2-Factor Authentication on top of that as well. First level authentication will be done using the AD credentials and then miniOrange will prompt for the configured 2FA.
    Check the guide to setup RD Gateway 2FA

Two-Factor Authentication (2FA/MFA) for RDS via RD Web

  • In this case, the user goes to RD Web login page from his browser to connect to the Remote Desktop Service. He enters his Username and Password, and on submission, the RADIUS request from RD Web component installed on target machine is sent to the miniOrange RADIUS server which authenticates the user via local AD in the target machine.
  • Once authenticated, it sends a RADIUS challenge to RD Web, and the RD Web shows OTP screen on browser now. Once the user enters the One Time Passcode, the miniorange IdP verifies it and grants/denies access to the RDS.
  • With this, after the user is connected to the Remote Desktop Service, the user can also gain access to published remote app icons on his browser screen, since the session has already been created for the user. Know more about Remote Desktop (RD) Web 2FA

RDS MFA via RD Web demonstration user flow

Frequently Asked Questions (FAQs)

What is Windows Two-Factor Authentication?

Windows Two-Factor Authentication (2FA) entails enhancing the security of logins to Windows systems by requiring multiple authentication factors to verify a user's identity before granting them network access.

Is Two-Factor Authentication (2FA) necessary for Windows logins in my organization?

Absolutely, by implementing 2FA for Windows logins, you can introduce additional layers of security to your users' machines. Relying solely on a single factor, typically a username and password exposes these logins to potential attacks. However, integrating supplementary authentication methods secures the machines within your organization, offering protection against breaches and malicious activities.

Which Windows 2FA solution is suitable for adoption within my organization?

To bolster the security of Windows machines in your organization, consider implementing a miniOrange Windows Logon 2FA solution for local and remote logins. Furthermore, miniOrange provides additional 2FA features, such as:

  • Machine-based 2FA
  • 2FA for Windows User Access Control (UAC)
  • Offline 2FA

To gain a comprehensive understanding of the capabilities offered by miniOrange 2FA solution, we invite you to schedule a personalized demo with our solution experts or explore it yourself through a free 30-Day trial.

How 2FA for Windows Logons Works

  • Initial Login: Users enter their AD domain credentials or use miniOrange to verify their identity.
  • Second Factor: Users receive a time-sensitive authentication code via SMS, email, or a third-party authentication provider. They must enter this code to proceed.
  • Access Granted: After successfully entering the code, users are logged in to their Windows machines.

External References

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products