How to apply MFA for IIS Apps such as OWA, RDWeb and Sharepoint

When IIS UserLock MFA is activated for a specific IIS application such as 'Outlook Web Access' (see this advanced use case for details), RDWeb, SharePoint, CRM etc. or an Intranet website, the IIS UserLock agent will redirect the user to a dedicated web application where the user can enroll for the MFA and enter the MFA code before accessing the protected IIS application.

Video Tutorial

A walk through on how-to add Two-Factor Authentication for Outlook Web Access and RDWeb, with UserLock

Procedure

In this use case, we are going to protect a single web application (Outlook Web Access) using MFA for IIS.

1. Install the UserLock IIS agent on the IIS server
2. Install the UserLock IIS MFA feature
3. Add the UserLock MFA application in IIS
4. Add the URL of the MFA application in the MFA settings in the UserLock console
5. Apply MFA to IIS session for protected users
6. Perform an MFA IIS connection

1. Install the UserLock IIS agent on the IIS server

Prerequisites

• IIS applications must be protected by the UserLock 'IIS agent' using HTTP Module technology. See specific section below.
• The UserLock "IIS MFA" feature must be installed on the IIS server to which you want IIS applications to be redirected when MFA is required. See specific section below.
• Using DNS split brain technology, The IP Address for the IIS Server hosting the IIS MFA module must be accessible as follows:
  • Internally, from within the private network.
  • Externally, from the Internet
• The external router is configured to allow the designated port to redirected from the outside to the IIS server hosting the IIS MFA module.
• NOTE: An Exchange Client Access Server is an example of a server that meets the above criteria.

IIS applications must be protected by the UserLock 'IIS agent' using HTTP Module technology.

1. Run the UserLock console.
2. In the "Agent distribution" view, select the “IIS” line of the IIS server that will be hosting the IIS applications to protect with UserLock. Right click and select "Install".
3. On this target IIS server, configure the IIS applications to protect with the UserLock 'IIS agent' using HTTP Module technology. For details, see this page.

2. Install the UserLock IIS MFA feature

The UserLock "IIS MFA" feature must be installed on the IIS server to which you want IIS applications to be redirected when MFA is required. Note that this feature is not installed if you chose “Standard” when you install UserLock.

1. Log on the IIS server to which you want IIS applications to be redirected when MFA is required.

2. If UserLock is already installed:

   • Control Panel, Uninstall a program, UserLock, Change:

     

   • As explained above: left click on “Web Applications”, left click on “IIS MFA”, “The feature will be installed…”.

3. On a new UserLock installation, choose “Custom” then left click on “Web Applications”, left click on “IIS MFA”, “The feature will be installed…”:

   

4. If installing on Windows Server 2012 R2, there are additional dependencies to be installed that are proposed:

   • Choose “Yes”:

     

   • Auto install of Microsoft Visual C++ 2015 Redistributable Package (x64):

     

   • Auto install of Microsoft .NET Core 3.1.8:

     

5. If no IIS application is protected by UserLock on this server and that you only want to configure IIS MFA in it:

   • Run the UserLock console. In the "Agent distribution" view, select the “IIS” line of the IIS server to which you want IIS applications to be redirected when MFA is required. Right click and select "Install", this will deploy UserLock server name(s) to the registry of that server.

   • Log on the target IIS server. Run Regedit. Delete the following registry value:

     HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS\Volatile\UlStatus

3. Add the UserLock MFA application in IIS

There are three available methods to add the MFA application in IIS. You can install it through the configuration wizard (12.1 and higher), through a command line tool or via the IIS Manager console.

• 3.1: Configuration wizard (12.1 and higher)
• 3.2 Command line tool
• 3.3 Manually through the IIS Manager console

3.1: Configuration wizard (12.1 and higher)

1. Launch the configuration wizard by searching for it in the start menu. Click on "Configure" next to MFA for IIS.

   

2. The wizard will check if all Windows components are installed. If some are missing, you will be prompted to install them.

   

3. Choose the website where you want to add the application.

   

4. Once the application is successfully installed, you can continue with the next step.

   

3.2: Command line tool

To install it with a command line tool (UserLockInstaller.exe):
Run UserLockInstaller.exe (%ProgramFiles(x86)%\ISDecisions\UserLock\UserLockInstaller)

Once the application is successfully installed, you can continue with the next step.

3.3 Manually through the IIS Manager console

1. In IIS Manager, create a new Application Pool with the following parameters:

   • Name: 'UserLockIisMfaAppPool'
   • .NET CLR version: No Managed Code
   • Managed pipeline mode: Integrated

   

2. On old Windows server such as Windows Server 2008 R2 and Windows Server 2012, it it necessary to navigate to Advanced settings/Process Model and set the value ”Load User Profile” to True.
   On newer Windows server versions this is optional.

   

3. At the default web site level, create a new application that uses the previous application pool:

   

   

4. Configure this application with the “MFA_IIS” folder under the UserLock installation folder. By default: "%ProgramFiles(x86)%\ISDecisions\UserLock\MFA_IIS". Click OK to continue

   

5. Restart IIS (the “W3SVC” service).

4. Add the URL of the MFA application in the MFA settings in the UserLock console.

Run the UserLock console. In the "Multi-factor authentication" view, fill the “URL of IIS MFA app” with the URL of the IIS MFA application (configured just above). You can click on Test Button to check the connection and then click Apply to save your settings.

5. Apply MFA to IIS session for protected users

In the MFA section of the protected account, select the connection type and frequency for when you want the user to be prompted with MFA.

6. Perform an MFA IIS connection

1. Browse your IIS application protected by UserLock.

   

2. When prompted, enroll using the IIS MFA (QR code).

   

3. For subsequent logons, only the MFA code is requested.

   

Limitation

Concerning Microsoft Exchange, this feature will function uniquely for Outlook Web Access (OWA) and Exchange Control Panel (ECP) features. In the advanced settings (via F7 in UserLock console), by default all unsupported Exchange applications are listed here.

• Multi-Factor Authentication
  • Implementing Multi-Factor Authentication
  • UserLock Push App
  • How to apply MFA for VPN
  • How to configure and install VPN Connect for MFA
  • How to apply MFA for IIS Apps such as OWA, RDWeb and Sharepoint
  • How to enable MFA for SSO
  • How to apply MFA for RemoteApp
  • How to apply MFA to Remote Desktop Gateway sessions
  • How to enroll remote users
  • Onboarding for End Users - Push Notifications with UserLock Push
  • Onboarding for End Users – with an Authenticator Application
  • Onboarding for End Users – with a Token2 programmable token
  • Onboarding for End Users – with HOTP Token2
  • Onboarding for End Users – with YubiKey
  • Onboarding for End Users - Recovery codes