Hello there!

Need Help? We are right here!

support
miniOrange Email Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Two-Factor Authentication (2FA) for Windows Logon & RDP


Two-Factor Authentication (2FA/MFA) for Windows logon prevents the Password Based breaches. Enabling Windows 2FA always verify identities before allowing access, making it more difficult for unauthorized users to gain access to your Microsoft Windows account. miniOrange Credential Provider can be installed on Microsoft Windows Client and Server operating systems to enable the Two-Factor Authentication to Remote Desktop (RDP) and local Windows Login. Windows 2FA solution is also responsible for your User Management with a Microsoft Active Directory or a LDAP Directory. With this 2FA solution, users will get easy access to the endpoints they need to access by increasing the identity assurance and reducing the risk and exposure. You can also enable offline access accordingly for secure authentication. With miniOrange's advanced MFA solution organizations are able to get secure access to all work applications, for all there users, from anywhere, with any device they choose.

miniOrange 2FA Credential Provider for Windows Logon and Remote Desktop (RDP) access supports following Multi-Factor Authentication (MFA) Methods:-

  • miniOrange Push (miniOrange Authenticator App)
  • miniOrange Soft Token (miniOrange Authenticator App)
  • Google Authenticator
  • Microsoft Authenticator
  • OTP Over SMS/EMAIL
  • Hardware Token
System Requirements for miniOrange Two-Factor Authentication (2FA) Credential Provider

miniOrange Credential Provider for Windows Logon and RDP Access supports both client and server operating systems.

    Supported Microsoft Windows Client versions:

  • Windows 7 SP1
  • Windows 8.1
  • Windows 10

  • Supported Windows Server versions(GUI and core installs):

  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

miniOrange Two-Factor Authentication(2FA/MFA) Credential Provider for Windows Logon also requires .NET Framework 4.5 or later. If the correct .NET version is not present on your system then miniOrange Credential Provider setup prompts you to install the .NET Framework.

miniOrange 2-Factor Authentication (2FA/MFA) Credential Provider can also be installed via group policy software publishing and Group policy administrative templates.

Video Setup Guide




Windows 2FA Login Using Google Authenticator
windows 2fa google authenticator

Windows 2FA Offline Authentication
windows 2fa offline authentication

Get Free Installation Help - Book a Slot


miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Two-Factor Authentication (2FA) for Windows Logon and RDP solution in your environment with 30 days trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you setting it up in no time.



Prerequisites

  • Visual studio 2010 Redistributable
  • .NET Framework v4.0

Step by step guide to setup Two-Factor Authentication (2FA/MFA) Credential Provider for Windows Logon

1. Download 2FA Module

  • Click here to download the Windows MFA module.

2. Configure Two-Factor Authentication(2FA) for Windows Logon in miniOrange

  • Login into miniOrange Admin Console.
  • Go to Apps and click on Add Applicaton button.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider add app

  • In Choose Application Type click on Create App button in OAUTH/OIDC application type.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider select OAuth/OIDC application type

  • Add Custom OAuth/OIDC app on miniOrange.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon application

  • Add any Redirect URI. For eg: https://localhost/
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider Windows Client

  • In policy section, enable 2FA.
  • Click on Save.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider Windows Enable MFA

  • Click on Edit action.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider Windows Edit app

  • Copy and Save the Client ID and Client Secret.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider Windows Copy ClinetID

3. Setup miniOrange Two-Factor Authentication(2FA/MFA) Credential Provider for Windows Logon

  • Go to the folder where you have "mOCredentialProvider.msi" file downloaded. Double Click and it will take you to the installation window. Click on Next.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider install wizard

  • Choose the installation path and click on Next.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider wizard select

  • Now the installer is ready to install miniOrange Two-Factor Authentication(2FA/MFA) Credential Provider for Windows Logon. Click on Next button.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider confirm install

  • Once the Installation is completed. Click on Close to exit.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider install complete

  • Go to the installation path of miniOrange Credential Provider application and double click on "pGina.Configuration" file.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider select file

  • Make sure "miniOrange service" status is running and in the "Credential Provider/GINA status" section the "Registered" and "Enabled" are "Yes".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider status run

  • Copy customer details.
    • If you are using our miniOrange Cloud IDP server:
      Login into miniOrange console with your customer account and goto "Product settings". Copy the "Customer Key" and "Customer API Key" and keep it with you.

      Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider mo setting

    • If you are using on-premise IDP server:
      Login into your on-premise IDP server account and goto "Product settings" section. Copy the "Server Base URL", "Customer Key", and "Customer API Key" and keep it with you.

      Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider on-premise setting

  • Go to Plugin Selection and enable Authentication checkbox beside miniOrange.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider Plugin Selection

  • Double click on local machine and make sure only Always authenticate local users is checked.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider localmachine plugin config

  • Double Click on miniOrange machine and add these details:
    • Customer ID
    • API Key
    • Client ID and Client Secret of the app you created.
    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider mfa plugin config

  • If you’re using a domain joined machine, Double click on the Single User plugin. Remove username field value and change the domain to your LDAP domain name in upper case and save.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider change ldap domain

  • Enable Gateway checkbox of Single User Login Plugin.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider enable login plugin

  • Move miniOrange to top on authentication order.
    • Go to Plugin Order tab and move miniOrange to the top by using the arrows.
    • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider Plugin order

    • Now in simulation enter your miniOrange username and password and click on the green run button. The status of miniOrange plugin should be true.
    • Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider Plugin Simulation

    • Now click on Save & Close.
  • You can customize the Logo and message to display on the windows login the way you need.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider customize

  • Click on the "Apply" button to save the configuration.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider apply customization

4. Test miniOrange Credential Provider 2FA Setup

  • Open the command prompt at the miniOrange Credential Provider installation path.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider command prompt

  • Run the "pGina.MFAAuthnPrompt.exe" file by passing the Username.
    Note: The Username you are passing must exist and must have the same Username in the AD and in the users list of your miniOrange account in our cloud IDP OR your on-premise IDP.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider run command

  • The following Two-Factor Authentication (2FA) prompt will be displayed. Select your 2FA method and click on "Next".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider choose 2fa method

  • The OTP will be delivered to the registered user mobile number and enter the received OTP in the "One Time Passcode" input field and Click on Next.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider input otp

  • Try windows login with miniOrange credential provider as shown in below screenshot.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider login window

  • Provide your Username and Password.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider login

  • After successful authentication with your LDAP server it will prompt for Two-Factor Authentication (2FA). Select the 2FA method and click on Next.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider select 2fa method

  • Enter your OTP and click on Next as shown in the below screenshot. After successful OTP validation users will be logged into the windows machine.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider enter OTP

5. Setup Credential Provider Group Policy for Windows


Group Policy provides centralized management and configuration of operating systems, applications, and users settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO).

Network administrators have one place where they can configure a variety of Windows settings for every computer on the network.

We are using GPO to simplify the installation of credential provider software and propagating windows registry settings of this software in one go for each computer joined to the domain.

Follow the steps to Setup miniOrange Multi-Factor Authentication (2FA/MFA) Credential Provider Group Policy:

  • Search "Computer management" from programs search and open it. Goto "Shared Folders->Shares"

    Two-Factor Authentication (2FA/MFA) for Windows Logon RDP shared folders

  • Right click on the "Shares section area" and click on "New" from the list as shown in the below screenshot.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Cnew shared folder

  • Click "Next" in the newly opened Shared Folder Wizard.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider shared folder wizard

  • Click on the "Browse" button.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider browse package

  • Browse for the folder path on the system where the "mOCredentialProvider.msi" resides and select that folder.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider select package folder

  • Click on "Next".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider click next

  • Provide description of the folder being shared and Click on "Next".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider shared folder description

  • Select the permissions of your choice for the folder being shared.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider shared folder permissions

  • Sharing of the folder is successful. Click on "Finish".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider shared folder successful

  • Goto the shared folder on your system and right click on "mOCredentialProvider.msi" file and select "Share with->Specific people".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider share with specific people

  • Make sure the file is shared with "Administrator" users of your domain and as well as to the user on the windows computer on which you are going to create the Group Policy Object.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider share with administrator

  • Open "Administrative tools->Group Policy management". Right click on your domain and select "Create a GPO in this domain, and Link here.." option.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider create GPO

  • Provide a Name for the GPO and click on "OK".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO name

  • You can Add/Remove specific Users, Groups and Machines of your domain from the highlighted section. This will help you to execute the Group policy for a specific set of Users, Groups, And Computers.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider assign users to GPO

  • Right click on the newly created GPO and select "Edit" from the list of menu.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider edit GPO

  • The new window will be opened for GPO edit it as .

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO edit window

  • Expand "Policies->Software Settings" from Computer Configuration.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO policies settings

  • Goto Shared folder on your system.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO select shared folder

  • Right click the shared folder "mOCredentialProvider" and select properties option from the list.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO shared foler properties

  • Goto "Sharing tab" of the properties window and copy "Network path".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO copy network path

  • Right click on the "Software Installation" section area and select "New->Package" from the list.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO new package

  • Provide the copied path from above step.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO paste path

  • Select "mOCredentialProvider.msi" file from the shared folder.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO select mo-package

  • Select "Assigned" and click on "Ok" in the window.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO mo-package assigned

  • Double click on the "miniOrangeCredProviderInstaller" package.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO mo-package properties

  • Goto "Deployment" tab and click on the "Advanced" button.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO mo-package deployment

  • Enable "Ignore Language when deploying this package" checkbox from Advanced deployment options section and click on "Ok".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO ignore language

  • Click on "Apply" and then "Ok" to close the properties windows.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO apply mo-package properties

  • Expand "Preferences->Registry" from Computer Configuration.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO registry preferences

  • Right click on "Registry" and select "New->Registry Wizard" from the list.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO new registry

  • Select "Local Computer" as we have installed the miniOrangeCredentialProiver package on this windows machine. Click on "Next".

    Two-Factor Authentication(2FA/MFA)for Windows Logon RDP-Windows Credential Provider GPO local machine registry

  • Expand the "HKEY_LOCAL_MACHINE" folder.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO registry folder

  • Goto "SOFTWARE->pGina3" in "HKEY_LOCAL_MACHINE".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO software folder

  • Enable checkboxes for all the options present in "pGina3" folder and click "Finish".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO enable pgina options

  • Expand the "First Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3" and make sure all selected options are present.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO expand first registry

  • Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->0f52390b-c781-43ae-bd62-553c77fa4cf7" folder.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO second plugin

  • Enable checkboxes for all options except "SearchPW" option and click on "Finish".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO disable searchpw

  • Expand the "Second Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->0f52390b-c781-43ae-bd62-553c77fa4cf7" and make sure all selected options except "SearchPW" option are present.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO expand second registry

  • Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d" folder as shown in the below screenshot. Enable checkboxes for all options and click on the "Finish" button.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO third plugin

  • Expand the "Third Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d" and make sure all selected options are present.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO expand third registry

  • Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->81f8034e-e278-4754-b10c-7066656de5b7" folder as shown in the below screenshot. Enable checkboxes for all options except the "Password" option and click on the "Finish" button.

    Two-Factor Authentication(2FA/MFA)for Windows Logon RDP-Windows Credential Provider GPO fourth plugin

  • Expand the "Fourth Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->81f8034e-e278-4754-b10c-7066656de5b7" and make sure all selected options except "Password" option are present.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO expand fourth registry

  • Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->ffd3547a-c950-4ef4-bb0e-b6523965c021" folder as shown in the below screenshot. Enable checkboxes for all options and click on the "Finish" button.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO fifth plugin

  • Expand the "Fifth Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->ffd3547a-c950-4ef4-bb0e-b6523965c021" and make sure all selected options are present.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO expand fifth registry

  • The Group policy settings will be applied on the computers once they are restarted. You can also perform force group policy push by executing command from the command prompt window.
    NOTE: Login into the other domain-joined windows computer on which you want to apply these group policy settings.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO apply

6. Configure Your User Directory (Optional)

miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Okta, Shibboleth, Ping, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more. You can configure your existing directory/user store or add users in miniOrange.



  • To add your users in miniOrange there are 2 ways:
  • 1. Create User in miniOrange

    • Click on Users >> Add User.
    • 2FA/MFA for Windows Logon RDP-Windows Credential Provider VPN 2FA : Add user in miniOrange

    • Here, fill the user details without the password and then click on the Create User button.
    • 2FA/MFA for Windows Logon RDP-Windows Credential Provider MFA: Add user details

    • After successful user creation a notification message "An end user is added successfully" will be displayed at the top of the dashboard.
    • 2FA/MFA for Windows Logon RDP-Windows Credential Provider Two-Factor Authentication: Add user details

    • Click on On Boarding Status tab. Check the email, with the registered e-mail id and select action Send Activation Mail with Password Reset Link from Select Action dropdown list and then click on Apply button.
    • 2FA/MFA for Windows Logon RDP-Windows Credential Provider 2FA: Select email action

    • Now, Open your email id. Open the mail you get from miniOrange and then click on the link to set your account password.
    • On the next screen, enter the password and confirm password and then click on the Single Sign-On (SSO) reset password button.
    • 2FA/MFA for Windows Logon RDP-Windows Credential Provider Multi-Factor Authentication: Reset user password
    • Now, you can log in into miniOrange account by entering your credentials.

    2. Bulk Upload Users in miniOrange via Uploading CSV File.

    • Navigate to Users >> User List. Click on Add User button.
    • 2FA/MFA for Windows Logon RDP-Windows Credential Provider 2FA: Add users via bulk upload

    • In Bulk User Registration Download sample csv format from our console and edit this csv file according to the instructions.
    • 2FA/MFA for Windows Logon RDP-Windows Credential Provider Two-Factor authentication: Download sample csv file

    • To bulk upload users, choose the file make sure it is in comma separated .csv file format then click on Upload.
    • 2FA/MFA for Windows Logon RDP-Windows Credential Provider 2FA : Bulk upload user

    • After uploading the csv file successfully, you will see a success message with a link.
    • Click on that link you will see list of users to send activation mail. Select users to send activation mail and click on Send Activation Mail. An activation mail will be sent to the selected users.
  • Click on User Stores >> Add User Store in the left menu of the dashboard.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider 2FA: Configure User Store

  • Select User Store type as AD/LDAP.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider 2FA: Select AD/LDAP as user store

    1. STORE LDAP CONFIGURATION IN MINIORANGE: Choose this option if you want to keep your configuration in miniOrange. If active directory is behind a firewall, you will need to open the firewall to allow incoming requests to your AD.
    2. STORE LDAP CONFIGURATION ON PREMISE: Choose this option if you want to keep your configuration in your premise and only allow access to AD inside premises. You will have to download and install miniOrange gateway in your premise.
    3. 2FA/MFA for Windows Logon RDP-Windows Credential Provider Two-Factor Authentication : Select ad/ldap user store type

  • Enter LDAP Display Name and LDAP Identifier name.
  • Select Directory Type as Active Directory.
  • Enter the LDAP Server URL or IP Address against LDAP Server URL field.
  • Click on Test Connection button to verify if you have made a successful connection with your LDAP server.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider MFA/2FA: Configure LDAP server URL Connection

  • In Active Directory, go to the properties of user containers/OU's and search for Distinguished Name attribute.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider MFA: Configure user bind account domain name

  • Enter the valid Bind account Password.
  • Click on Test Bind Account Credentials button to verify your LDAP Bind credentials for LDAP connection.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider MFA: Check bind account credentials

  • Search Base is the location in the directory where the search for a user begins. You will get this from the same place you got your Distinguished name.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider 2FA : Configure user search base

  • Select a suitable Search filter from the drop down menu. To use custom Search Filter select "Custom Search Filter" option and customize it accordingly.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider MFA/2FA : Select user search filter

  • You can also configure following options while setting up AD. Enable Activate LDAP in order to authenticate users from AD/LDAP. Click on the Save button to add user store.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider MFA : Activate LDAP options

    Here's the list of the attributes and what it does when we enable it. You can enable/disable accordingly.

    Attribute Description
    Activate LDAP All user authentications will be done with LDAP credentials if you Activate it
    Sync users in miniOrange Users will be created in miniOrange after authentication with LDAP
    Backup Authentication If LDAP credentials fail then user will be authenticated through miniOrange
    Allow users to change password This allows your users to change their password. It updates the new credentials in your LDAP server
    Enable administrator login On enabling this, your miniOrange Administrator login authenticates using your LDAP server
    Show IdP to users If you enable this option, this IdP will be visible to users
    Send Configured Attributes If you enable this option, then only the attributes configured below will be sent in attributes at the time of login

  • Click on Save. After this, it will show you the list of User stores. Click on Test Configuration to check whether you have enter valid details. For that, it will ask for username and password.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider 2FA: Test AD/Ldap connection

  • On Successful connection with LDAP Server, a success message is shown.
  • Click on Test Attribute Mapping.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider LDAP successful connection

  • Enter a valid Username. Then, click on Test. Mapped Attributes corresponding to the user are fetched.
  • 2FA/MFA for Windows Logon RDP-Windows Credential Provider MFA: Fetch mapped attributes for user

  • After successful Attribute Mapping Configuration, go back to the ldap configuration and enable Activate LDAP in order to authenticate users from AD/LDAP.
  • Refer our guide to setup LDAPS on windows server.

User Import and Provisioning from AD

  • Go to Settings in the Customer Admin Account.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP-Windows Credential Provider  miniOrange dashboard

  • Enable the "Enable User Auto Registration" option and click Save.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP-Windows Credential Provider  Enable User Auto Registration

  • (Optional) To send a welcome email to all the end users that will be imported, enable the "Enable sending Welcome Emails after user registration" option and click Save.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP-Windows Credential Provider  Enable sending Welcome Emails after user registration

  • From the Left-Side menu of the dashboard select Provisioning.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP-Windows Credential Provider  User Sync/Provisioning

  • In Setup Provisioning tab select Active Directory in the Select Application Drop Down.
  • Toggle the Import Users tab, click on Save button.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP-Windows Credential Provider  User Sync Active Directory Configuration

  • On the same section, switch to Import Users section.
  • Select Active Directory from the dropdown and click on the Import Users tab, to import all the users from Active Directory to miniOrange.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP-Windows Credential Provider  User Sync Import Operation

  • You can view all the Users you have imports by selecting Users >> User List from Left Panel.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP-Windows Credential Provider  User List

  • All the imported users will be auto registered.
  • These groups will be helpful in adding multiple 2FA policies on the applications.

miniOrange integrates with various external user sources such as directories, identity providers, and etc.

Not able to find your IdP or Need help setting it up?


Contact us or email us at idpsupport@xecurify.com and we'll help you setting it up in no time.



miniOrange Credential Provider for Remote Desktop Service (RDP)

The user initiates the login to Remote Desktop Service either through a Remote Desktop Client or via the RD Web login page from his browser, after which the RADIUS request is sent from the miniOrange RD Web component installed on the target machine to the miniOrange RADIUS server, which authenticates the user via Local AD, and after successful authentication, 2-factor authentication of the user is invoked. After the user validates himself, he is granted access to the Remote Desktop Service(RDP).


A user can try to connect to RDS (Remote Desktop Services) via 2 ways :

  • RDC - Remote Desktop Client: If the RemoteApp is launched through a Remote Desktop client application, the users validate their 2-factor authentication while they enter the Username and Password to get access to the resources. (as this method doesn't support access-challenge response, only out of band authentication methods are supported ).
  • RD Web Access - RD login page via browser: If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for 2-factor authentication via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.

Two-Factor Authentication(2FA/MFA) for RDS via RD Web

How it works

  • In this case, the user goes to RD Web login page from his browser to connect to the Remote Desktop Service. He enters his Username and Password, and on submission, the RADIUS request from RD Web component installed on target machine is sent to the miniOrange RADIUS server which authenticates the user via local AD in the target machine.
  • Once authenticated, it sends a RADIUS challenge to RD Web, and the RD Web shows OTP screen on browser now. Once the user enters the One Time Passcode, the miniorange IdP verifies it and grants/denies access to the RDS.
  • With this, after the user is connected to the Remote Desktop Service, the user can also gain access to published remote app icons on his browser screen, since the session has already been created for the user.

RDS via RD Web demonstration user flow

Our Other Identity & Access Management Products